Skip to content

Latest commit

 

History

History
144 lines (144 loc) · 15.9 KB

rules.md

File metadata and controls

144 lines (144 loc) · 15.9 KB
ID Provider Service Description
aws-s3-no-public-access-with-acl aws s3 S3 Bucket has an ACL defined which allows public access.
aws-s3-enable-bucket-logging aws s3 S3 Bucket does not have logging enabled.
aws-rds-no-classic-resources aws rds AWS Classic resource usage.
aws-elbv2-http-not-used aws elbv2 Use of plain HTTP.
aws-elbv2-alb-not-public aws elbv2 Load balancer is exposed to the internet.
aws-vpc-no-public-ingress-sgr aws vpc An ingress security group rule allows traffic from /0.
aws-vpc-no-public-egress-sgr aws vpc An egress security group rule allows traffic to /0.
aws-vpc-no-public-ingress-sg aws vpc An inline ingress security group rule allows traffic from /0.
aws-vpc-no-public-egress-sg aws vpc An inline egress security group rule allows traffic to /0.
aws-vpc-use-secure-tls-policy aws vpc An outdated SSL policy is in use by a load balancer.
aws-rds-no-public-db-access aws rds A database resource is marked as publicly accessible.
aws-autoscaling-no-public-ip aws autoscaling A resource has a public IP address.
aws-ecs-no-plaintext-secrets aws ecs Task definition defines sensitive environment variable(s).
aws-autoscaling-enable-at-rest-encryption aws autoscaling Launch configuration with unencrypted block device.
aws-sqs-enable-queue-encryption aws sqs Unencrypted SQS queue.
aws-sns-enable-topic-encryption aws sns Unencrypted SNS topic.
aws-s3-enable-bucket-encryption aws s3 Unencrypted S3 bucket.
aws-vpc-add-decription-to-security-group aws vpc Missing description for security group/security group rule.
aws-kms-auto-rotate-keys aws kms A KMS key is not configured to auto-rotate.
aws-cloudfront-enforce-https aws cloudfront CloudFront distribution allows unencrypted (HTTP) communications.
aws-cloudfront-use-secure-tls-policy aws cloudfront CloudFront distribution uses outdated SSL/TLS protocols.
aws-msk-enable-in-transit-encryption aws msk A MSK cluster allows unencrypted data in transit.
aws-ecr-enable-image-scans aws ecr ECR repository has image scans disabled.
aws-kinesis-enable-in-transit-encryption aws kinesis Kinesis stream is unencrypted.
aws-api-gateway-use-secure-tls-policy aws api-gateway API Gateway domain name uses outdated SSL/TLS protocols.
aws-elastic-service-enable-domain-encryption aws elastic-service Elasticsearch domain isn't encrypted at rest.
aws-elastic-search-enable-in-transit-encryption aws elastic-search Elasticsearch domain uses plaintext traffic for node to node communication.
aws-elastic-search-enforce-https aws elastic-search Elasticsearch doesn't enforce HTTPS traffic.
aws-elastic-search-use-secure-tls-policy aws elastic-search Elasticsearch domain endpoint is using outdated TLS policy.
aws-elastic-search-encrypt-replication-group aws elastic-search Unencrypted Elasticache Replication Group.
aws-elasticache-enable-in-transit-encryption aws elasticache Elasticache Replication Group uses unencrypted traffic.
aws-iam-no-password-reuse aws iam IAM Password policy should prevent password reuse.
aws-iam-set-max-password-age aws iam IAM Password policy should have expiry less than or equal to 90 days.
aws-iam-set-minimum-password-length aws iam IAM Password policy should have minimum password length of 14 or more characters.
aws-iam-require-symbols-in-passwords aws iam IAM Password policy should have requirement for at least one symbol in the password.
aws-iam-require-numbers-in-passwords aws iam IAM Password policy should have requirement for at least one number in the password.
aws-iam-require-lowercase-in-passwords aws iam IAM Password policy should have requirement for at least one lowercase character.
aws-iam-require-uppercase-in-passwords aws iam IAM Password policy should have requirement for at least one uppercase character.
aws-misc-no-exposing-plaintext-credentials aws misc AWS provider has access credentials specified.
aws-cloudfront-enable-waf aws cloudfront CloudFront distribution does not have a WAF in front.
aws-sqs-no-wildcards-in-policy-documents aws sqs AWS SQS policy document has wildcard action statement.
aws-efs-enable-at-rest-encryption aws efs EFS Encryption has not been enabled
aws-vpc-no-public-ingress aws vpc An ingress Network ACL rule allows specific ports from /0.
aws-vpc-no-excessive-port-access aws vpc An ingress Network ACL rule allows ALL ports.
aws-rds-encrypt-cluster-storage-data aws rds There is no encryption specified or encryption is disabled on the RDS Cluster.
aws-rds-encrypt-instance-storage-data aws rds RDS encryption has not been enabled at a DB Instance level.
aws-rds-enable-performance-insights aws rds Encryption for RDS Performance Insights should be enabled.
aws-elastic-search-enable-domain-logging aws elastic-search Domain logging should be enabled for Elastic Search domains
aws-lambda-restrict-source-arn aws lambda Ensure that lambda function permission has a source arn specified
aws-athena-enable-at-rest-encryption aws athena Athena databases and workgroup configurations are created unencrypted at rest by default, they should be encrypted
aws-athena-no-encryption-override aws athena Athena workgroups should enforce configuration to prevent client disabling encryption
aws-api-gateway-enable-access-logging aws api-gateway API Gateway stages for V1 and V2 should have access logging enabled
aws-ec2-no-secrets-in-user-data aws ec2 User data for EC2 instances must not contain sensitive AWS keys
aws-cloudtrail-enable-all-regions aws cloudtrail Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed
aws-cloudtrail-enable-log-validation aws cloudtrail Cloudtrail log validation should be enabled to prevent tampering of log data
aws-cloudtrail-enable-at-rest-encryption aws cloudtrail Cloudtrail should be encrypted at rest to secure access to sensitive trail data
aws-eks-encrypt-secrets aws eks EKS should have the encryption of secrets enabled
aws-eks-enable-control-plane-logging aws eks EKS Clusters should have cluster control plane logging turned on
aws-eks-no-public-cluster-access-to-cidr aws eks EKS cluster should not have open CIDR range for public access
aws-eks-no-public-cluster-access aws eks EKS Clusters should have the public access disabled
aws-elastic-search-enable-logging aws elastic-search AWS ES Domain should have logging enabled
aws-cloudfront-enable-logging aws cloudfront Cloudfront distribution should have Access Logging configured
aws-s3-ignore-public-acls aws s3 S3 Access Block should Ignore Public Acl
aws-s3-block-public-acls aws s3 S3 Access block should block public ACL
aws-s3-no-public-buckets aws s3 S3 Access block should restrict public bucket to limit access
aws-s3-block-public-policy aws s3 S3 Access block should block public policy
aws-s3-enable-versioning aws s3 S3 Data should be versioned
aws-ecr-enforce-immutable-repository aws ecr ECR images tags shouldn't be mutable.
aws-ec2-enforce-http-token-imds aws ec2 aws_instance should activate session tokens for Instance Metadata Service.
aws-codebuild-enable-encryption aws codebuild CodeBuild Project artifacts encryption should not be disabled
aws-dynamodb-enable-at-rest-encryption aws dynamodb DAX Cluster should always encrypt data at rest
aws-vpc-no-default-vpc aws vpc AWS best practice to not use the default VPC for workflows
aws-elb-drop-invalid-headers aws elb Load balancers should drop invalid headers
aws-workspace-enable-disk-encryption aws workspace Root and user volumes on Workspaces should be encrypted
aws-config-aggregate-all-regions aws config Config configuration aggregator should be using all regions for source
aws-dynamodb-enable-recovery aws dynamodb Point in time recovery should be enabled to protect DynamoDB table
aws-redshift-non-default-vpc-deployment aws redshift Redshift cluster should be deployed into a specific VPC
aws-elasticache-enable-backup-retention aws elasticache Redis cluster should have backup retention turned on
aws-cloudwatch-log-group-customer-key aws cloudwatch CloudWatch log groups should be encrypted using CMK
aws-ecs-enable-container-insight aws ecs ECS clusters should have container insights enabled
aws-rds-backup-retention-specified aws rds RDS Cluster and RDS instance should have backup retention longer than default 1 day
aws-dynamodb-table-customer-key aws dynamodb DynamoDB tables should use at rest encryption with a Customer Managed Key
aws-ecr-repository-customer-key aws ecr ECR Repository should use customer managed keys to allow more control
aws-redshift-encryption-customer-key aws redshift Redshift clusters should use at rest encryption
aws-ssm-secret-use-customer-key aws ssm Secrets Manager should use customer managed keys
aws-ecs-enable-in-transit-encryption aws ecs ECS Task Definitions with EFS volumes should use in-transit encryption
aws-iam-block-kms-policy-wildcard aws iam IAM customer managed policies should not allow decryption actions on all KMS keys
aws-s3-specify-public-access-block aws s3 S3 buckets should each define an aws_s3_bucket_public_access_block
aws-iam-no-policy-wildcards aws iam IAM policy should avoid use of wildcards and instead apply the principle of least privilege
azure-network-no-public-ingress azure network An inbound network security rule allows traffic from /0.
azure-network-no-public-egress azure network An outbound network security rule allows traffic to /0.
azure-compute-enable-disk-encryption azure compute Unencrypted managed disk.
azure-datalake-enable-at-rest-encryption azure datalake Unencrypted data lake storage.
azure-compute-ssh-authentication azure compute Password authentication in use instead of SSH keys.
azure-container-configured-network-policy azure container Ensure AKS cluster has Network Policy configured
azure-container-use-rbac-permissions azure container Ensure RBAC is enabled on AKS clusters
azure-container-limit-authorized-ips azure container Ensure AKS has an API Server Authorized IP Ranges enabled
azure-container-logging azure container Ensure AKS logging to Azure Monitoring is Configured
azure-storage-ensure-https azure storage Ensure HTTPS is enabled on Azure Storage Account
azure-storage-no-public-access azure storage Storage containers in blob storage mode should not have public access
azure-storage-default-action-deny azure storage The default action on Storage account network rules should be set to deny
azure-storage-allow-microsoft-service-bypass azure storage Trusted Microsoft Services should have bypass access to Storage accounts
azure-storage-enforce-https azure storage Storage accounts should be configured to only accept transfers that are over secure connections
azure-storage-use-secure-tls-policy azure storage The minimum TLS version for Storage Accounts should be TLS1_2
azure-storage-queue-services-logging-enabled azure storage When using Queue Services for a storage account, logging should be enabled.
azure-network-ssh-blocked-from-internet azure network SSH access should not be accessible from the Internet, should be blocked on port 22
azure-database-enable-audit azure database Auditing should be enabled on Azure SQL Databases
azure-database-retention-period-set azure database Database auditing rentention period should be longer than 90 days
azure-keyvault-specify-network-acl azure keyvault Key vault should have the network acl block specified
azure-keyvault-no-purge azure keyvault Key vault should have purge protection enabled
azure-keyvault-content-type-for-secret azure keyvault Key vault Secret should have a content type set
azure-keyvault-ensure-secret-expiry azure keyvault Key Vault Secret should have an expiration date set
azure-network-disable-rdp-from-internet azure network RDP access should not be accessible from the Internet, should be blocked on port 3389
azure-datafactory-no-public-access azure datafactory Data Factory should have public access disabled, the default is enabled.
azure-keyvault-ensure-key-expiry azure keyvault Ensure that the expiration date is set on all keys
azure-synapse-virtual-network-enabled azure synapse Synapse Workspace should have managed virtual network enabled, the default is disabled.
azure-appservice-enforce-https azure appservice Ensure the Function App can only be accessed via HTTPS. The default is false.
digitalocean-compute-no-public-ingress digitalocean compute The firewall has an inbound rule with open access
digitalocean-compute-no-public-egress digitalocean compute The firewall has an outbound rule with open access
digitalocean-droplet-use-ssh-keys digitalocean droplet SSH Keys are the preferred way to connect to your droplet, no keys are supplied
digitalocean-loadbalancing-enforce-https digitalocean loadbalancing The load balancer forwarding rule is using an insecure protocol as an entrypoint
digitalocean-spaces-acl-no-public-read digitalocean spaces Spaces bucket or bucket object has public read acl set
digitalocean-spaces-versioning-enabled digitalocean spaces Spaces buckets should have versioning enabled
digitalocean-spaces-disable-force-destroy digitalocean spaces Force destroy is enabled on Spaces bucket which is dangerous
google-compute-disk-encryption-customer-keys google compute Encrypted compute disk with unmanaged keys.
google-compute-no-public-ingres google compute An inbound firewall rule allows traffic from /0.
google-compute-no-public-egress google compute An outbound firewall rule allows traffic to /0.
google-gke-use-rbac-permissions google gke Legacy ABAC permissions are enabled.
google-gke-node-metadata-security google gke Node metadata value disables metadata concealment.
google-gke-metadata-endpoints-disabled google gke Legacy metadata endpoints enabled.
google-gke-no-legacy-authentication google gke Legacy client authentication methods utilized.
google-gke-enforce-pod-security-policy google gke Pod security policy enforcement not defined.
google-gke-node-shielding-enabled google gke Shielded GKE nodes not enabled.
google-iam-no-user-granted-permissions google iam IAM granted directly to user.
google-gke-use-service-account google gke Checks for service account defined for GKE nodes
google-compute-disk-encryption-required google compute The encryption key used to encrypt a compute disk has been specified in plaintext.
general-secrets-sensitive-in-variable general secrets Potentially sensitive data stored in "default" value of variable.
general-secrets-sensitive-in-local general secrets Potentially sensitive data stored in local value.
general-secrets-sensitive-in-attribute general secrets Potentially sensitive data stored in block attribute.
general-secrets-sensitive-in-attribute-value general secrets The attribute has potentially sensitive data, passwords, tokens or keys in it
github-repositories-private github repositories Github repository shouldn't be public.
oracle-compute-no-public-ip oracle compute Compute instance requests an IP reservation from a public pool