Skip to content

Commit

Permalink
docs(queries): update queries catalog (#4045)
Browse files Browse the repository at this point in the history 
Co-authored-by: rogeriopeixotocx <[email protected]>
  • Loading branch information
@kicsbot @rogeriopeixotocx
kicsbot and rogeriopeixotocx authored Aug 13, 2021
1 parent a71c25b commit 678938f
Show file tree
Hide file tree
Showing 4 changed files with 16 additions and 4 deletions.
10 changes: 8 additions & 2 deletions docs/queries/all-queries.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ This page contains all queries.
|API Gateway Without Security Policy<br/><sup><sub>8275fab0-68ec-4705-bbf4-86975edb170e</sub></sup>|CloudFormation|<span style="color:#C00">High</span>|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-securitypolicy">Documentation</a><br/>|
|KMS Key With Vulnerable Policy<br/><sup><sub>da905474-7454-43c0-b8d2-5756ab951aba</sub></sup>|CloudFormation|<span style="color:#C00">High</span>|Insecure Configurations|Checks if the policy is vulnerable and needs updating|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-keypolicy">Documentation</a><br/>|
|Redshift Publicly Accessible<br/><sup><sub>bdf8dcb4-75df-4370-92c4-606e4ae6c4d3</sub></sup>|CloudFormation|<span style="color:#C00">High</span>|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html">Documentation</a><br/>|
|S3 Bucket with Unsecured CORS Rule<br/><sup><sub>3609d27c-3698-483a-9402-13af6ae80583</sub></sup>|CloudFormation|<span style="color:#C00">High</span>|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-cors.html">Documentation</a><br/>|
|Batch Job Definition With Privileged Container Properties<br/><sup><sub>76ddf32c-85b1-4808-8935-7eef8030ab36</sub></sup>|CloudFormation|<span style="color:#C00">High</span>|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-batch-jobdefinition.html">Documentation</a><br/>|
|Root Account Has Active Access Keys<br/><sup><sub>4c137350-7307-4803-8c04-17c09a7a9fcf</sub></sup>|CloudFormation|<span style="color:#C00">High</span>|Insecure Configurations|Check if the root user has any access keys associated to it.|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html">Documentation</a><br/>|
|S3 Static Website Host Enabled<br/><sup><sub>90501b1b-cded-4cc1-9e8b-206b85cda317</sub></sup>|CloudFormation|<span style="color:#C00">High</span>|Insecure Configurations|It's dangerous disabling a block public access settings in bucket or writing a bucket policy that grants public read access|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html">Documentation</a><br/>|
Expand Down Expand Up @@ -141,7 +142,7 @@ This page contains all queries.
|EMR Cluster Without Security Configuration<br/><sup><sub>48af92a5-c89b-4936-bc62-1086fe2bab23</sub></sup>|CloudFormation|<span style="color:#C60">Medium</span>|Insecure Configurations|EMR Cluster should have security configuration defined.|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticmapreduce-cluster.html#cfn-elasticmapreduce-cluster-securityconfiguration">Documentation</a><br/>|
|Inline Policies Are Attached To ECS Service<br/><sup><sub>9e8c89b3-7997-4d15-93e4-7911b9db99fd</sub></sup>|CloudFormation|<span style="color:#C60">Medium</span>|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html">Documentation</a><br/>|
|MQ Broker Is Publicly Accessible<br/><sup><sub>68b6a789-82f8-4cfd-85de-e95332fe6a61</sub></sup>|CloudFormation|<span style="color:#C60">Medium</span>|Insecure Configurations|Check if any MQ Broker is not publicly accessible|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-broker.html#cfn-amazonmq-broker-publiclyaccessible">Documentation</a><br/>|
|IAM User Has Too Many Access Keys<br/><sup><sub>48677914-6fdf-40ec-80c4-2b0e94079f54</sub></sup>|CloudFormation|<span style="color:#C60">Medium</span>|Insecure Configurations|Check if any user has more than one access key, which increases the risk of unauthorized access and compromise of credentials.|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html">Documentation</a><br/>|
|IAM User Has Too Many Access Keys<br/><sup><sub>48677914-6fdf-40ec-80c4-2b0e94079f54</sub></sup>|CloudFormation|<span style="color:#C60">Medium</span>|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html">Documentation</a><br/>|
|GitHub Repository Set To Public<br/><sup><sub>5906092d-5f74-490d-9a03-78febe0f65e1</sub></sup>|CloudFormation|<span style="color:#C60">Medium</span>|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codestar-githubrepository.html">Documentation</a><br/>|
|Instance With No VPC<br/><sup><sub>8a6d36cd-0bc6-42b7-92c4-67acc8576861</sub></sup>|CloudFormation|<span style="color:#C60">Medium</span>|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|<a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.html">Documentation</a><br/>|
|ECR Image Tag Not Immutable<br/><sup><sub>33f41d31-86b1-46a4-81f7-9c9a671f59ac</sub></sup>|CloudFormation|<span style="color:#C60">Medium</span>|Insecure Configurations|ECR should have an image tag be immutable|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html">Documentation</a><br/>|
Expand Down Expand Up @@ -505,6 +506,7 @@ This page contains all queries.
|Authentication Without MFA<br/><sup><sub>3ddfa124-6407-4845-a501-179f90c65097</sub></sup>|Terraform|<span style="color:#C00">High</span>|Insecure Configurations|Users should authenticate with MFA (Multi-factor Authentication)|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy">Documentation</a><br/>|
|No Password Policy Enabled<br/><sup><sub>b592ffd4-0577-44b6-bd35-8c5ee81b5918</sub></sup>|Terraform|<span style="color:#C00">High</span>|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile">Documentation</a><br/>|
|Redshift Publicly Accessible<br/><sup><sub>af173fde-95ea-4584-b904-bb3923ac4bda</sub></sup>|Terraform|<span style="color:#C00">High</span>|Insecure Configurations|Check if 'publicly_accessible' field is true or undefined (default is true)|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster">Documentation</a><br/>|
|S3 Bucket with Unsecured CORS Rule<br/><sup><sub>98a8f708-121b-455b-ae2f-da3fb59d17e1</sub></sup>|Terraform|<span style="color:#C00">High</span>|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#cors_rule">Documentation</a><br/>|
|Batch Job Definition With Privileged Container Properties<br/><sup><sub>66cd88ac-9ddf-424a-b77e-e55e17630bee</sub></sup>|Terraform|<span style="color:#C00">High</span>|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/batch_job_definition">Documentation</a><br/>|
|S3 Bucket Without Enabled MFA Delete<br/><sup><sub>c5b31ab9-0f26-4a49-b8aa-4cc064392f4d</sub></sup>|Terraform|<span style="color:#C00">High</span>|Insecure Configurations|S3 bucket without enabled MFA Delete|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#mfa_delete">Documentation</a><br/>|
|Root Account Has Active Access Keys<br/><sup><sub>970d224d-b42a-416b-81f9-8f4dfe70c4bc</sub></sup>|Terraform|<span style="color:#C00">High</span>|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key">Documentation</a><br/>|
Expand All @@ -521,12 +523,14 @@ This page contains all queries.
|Default Security Groups With Unrestricted Traffic<br/><sup><sub>46883ce1-dc3e-4b17-9195-c6a601624c73</sub></sup>|Terraform|<span style="color:#C00">High</span>|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group">Documentation</a><br/>|
|EKS Cluster Has Public Access CIDRs<br/><sup><sub>61cf9883-1752-4768-b18c-0d57f2737709</sub></sup>|Terraform|<span style="color:#C00">High</span>|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster">Documentation</a><br/>|
|HTTP Port Open<br/><sup><sub>ffac8a12-322e-42c1-b9b9-81ff85c39ef7</sub></sup>|Terraform|<span style="color:#C00">High</span>|Networking and Firewall|The HTTP port is open in a Security Group|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group">Documentation</a><br/>|
|Security Group With Unrestricted Access To SSH<br/><sup><sub>65905cec-d691-4320-b320-2000436cb696</sub></sup>|Terraform|<span style="color:#C00">High</span>|Networking and Firewall|SSH' (TCP:22) should not be public in AWS Security Group|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group">Documentation</a><br/>|
|Security Group With Unrestricted Access To SSH<br/><sup><sub>65905cec-d691-4320-b320-2000436cb696</sub></sup>|Terraform|<span style="color:#C00">High</span>|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group">Documentation</a><br/>|
|Route53 Record Undefined<br/><sup><sub>25db74bf-fa3b-44da-934e-8c3e005c0453</sub></sup>|Terraform|<span style="color:#C00">High</span>|Networking and Firewall|Check if Record is set|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record">Documentation</a><br/>|
|Unrestricted Security Group Ingress<br/><sup><sub>4728cd65-a20c-49da-8b31-9c08b423e4db</sub></sup>|Terraform|<span style="color:#C00">High</span>|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0|<a href="https://www.terraform.io/docs/providers/aws/r/security_group.html">Documentation</a><br/>|
|DB Security Group Open To Large Scope<br/><sup><sub>4f615f3e-fb9c-4fad-8b70-2e9f781806ce</sub></sup>|Terraform|<span style="color:#C00">High</span>|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_security_group">Documentation</a><br/>|
|EC2 Instance Has Public IP<br/><sup><sub>5a2486aa-facf-477d-a5c1-b010789459ce</sub></sup>|Terraform|<span style="color:#C00">High</span>|Networking and Firewall|EC2 Instance should not have a public IP address.|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#associate_public_ip_address">Documentation</a><br/>|
|Network ACL With Unrestricted Access To SSH<br/><sup><sub>3af7f2fd-06e6-4dab-b996-2912bea19ba4</sub></sup>|Terraform|<span style="color:#C00">High</span>|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl">Documentation</a><br/>|
|Remote Desktop Port Open<br/><sup><sub>151187cb-0efc-481c-babd-ad24e3c9bc22</sub></sup>|Terraform|<span style="color:#C00">High</span>|Networking and Firewall|The Remote Desktop port is open in a Security Group|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group">Documentation</a><br/>|
|Network ACL With Unrestricted Access To RDP<br/><sup><sub>a20be318-cac7-457b-911d-04cc6e812c25</sub></sup>|Terraform|<span style="color:#C00">High</span>|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl">Documentation</a><br/>|
|ALB Listening on HTTP<br/><sup><sub>de7f5e83-da88-4046-871f-ea18504b1d43</sub></sup>|Terraform|<span style="color:#C00">High</span>|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener">Documentation</a><br/>|
|Unknown Port Exposed To Internet<br/><sup><sub>590d878b-abdc-428f-895a-e2b68a0e1998</sub></sup>|Terraform|<span style="color:#C00">High</span>|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group">Documentation</a><br/>|
|KMS Key With No Deletion Window<br/><sup><sub>0b530315-0ea4-497f-b34c-4ff86268f59d</sub></sup>|Terraform|<span style="color:#C00">High</span>|Observability|AWS KMS Key should have a valid deletion window|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key">Documentation</a><br/>|
Expand Down Expand Up @@ -598,6 +602,7 @@ This page contains all queries.
|Certificate RSA Key Bytes Lower Than 256<br/><sup><sub>874d68a3-bfbe-4a4b-aaa0-9e74d7da634b</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api">Documentation</a><br/>|
|EKS Cluster Has Public Access<br/><sup><sub>42f4b905-3736-4213-bfe9-c0660518cda8</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster">Documentation</a><br/>|
|MQ Broker Is Publicly Accessible<br/><sup><sub>4eb5f791-c861-4afd-9f94-f2a6a3fe49cb</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Insecure Configurations|Check if any MQ Broker is not publicly accessible|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker">Documentation</a><br/>|
|IAM User Has Too Many Access Keys<br/><sup><sub>3561130e-9c5f-485b-9e16-2764c82763e5</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key#user">Documentation</a><br/>|
|Instance With No VPC<br/><sup><sub>a31a5a29-718a-4ff4-8001-a69e5e4d029e</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance">Documentation</a><br/>|
|Redshift Cluster Without VPC<br/><sup><sub>0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#vpc_security_group_ids">Documentation</a><br/>|
|AWS Password Policy With Unchangeable Passwords<br/><sup><sub>9ef7d25d-9764-4224-9968-fa321c56ef76</sub></sup>|Terraform|<span style="color:#C60">Medium</span>|Insecure Configurations|Unchangeable passwords in AWS password policy|<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy">Documentation</a><br/>|
Expand Down Expand Up @@ -1189,6 +1194,7 @@ This page contains all queries.
|EFS Without KMS<br/><sup><sub>bd77554e-f138-40c5-91b2-2a09f878608e</sub></sup>|Ansible|<span style="color:#C00">High</span>|Encryption|Elastic File System (EFS) must have KMS Key ID|<a href="https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-kms_key_id">Documentation</a><br/>|
|KMS Key With Vulnerable Policy<br/><sup><sub>5b9d237a-57d5-4177-be0e-71434b0fef47</sub></sup>|Ansible|<span style="color:#C00">High</span>|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|<a href="https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html">Documentation</a><br/>|
|Redshift Publicly Accessible<br/><sup><sub>5c6b727b-1382-4629-8ba9-abd1365e5610</sub></sup>|Ansible|<span style="color:#C00">High</span>|Insecure Configurations|Check if 'publicly_accessible' field is true (default is false)|<a href="https://docs.ansible.com/ansible/latest/collections/community/aws/redshift_module.html">Documentation</a><br/>|
|S3 Bucket with Unsecured CORS Rule<br/><sup><sub>3505094c-f77c-4ba0-95da-f83db712f86c</sub></sup>|Ansible|<span style="color:#C00">High</span>|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|<a href="https://docs.ansible.com/ansible/latest/collections/community/aws/aws_s3_cors_module.html#parameter-rules">Documentation</a><br/>|
|Batch Job Definition With Privileged Container Properties<br/><sup><sub>defe5b18-978d-4722-9325-4d1975d3699f</sub></sup>|Ansible|<span style="color:#C00">High</span>|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|<a href="https://docs.ansible.com/ansible/latest/collections/community/aws/aws_batch_job_definition_module.html">Documentation</a><br/>|
|Root Account Has Active Access Keys<br/><sup><sub>e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40</sub></sup>|Ansible|<span style="color:#C00">High</span>|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|<a href="https://docs.ansible.com/ansible/latest/collections/community/aws/iam_module.html">Documentation</a><br/>|
|ECS Task Definition Network Mode Not Recommended<br/><sup><sub>01aec7c2-3e4d-4274-ae47-2b8fea22fd1f</sub></sup>|Ansible|<span style="color:#C00">High</span>|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|<a href="https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_taskdefinition_module.html#parameter-network_mode">Documentation</a><br/>|
Expand Down
Loading

0 comments on commit 678938f

Please sign in to comment.