Policies¶
Terrascan policies are written using the Rego policy language. With each rego policy a JSON "rule" file is included which defines metadata for the policy. Policies included within Terrascan are stored in the pkg/policies/opa/rego directory.
Updating Terrascan with the latest policies¶
The first time using Terrascan, if the -p
flag is not specified, Terrascan will download the latest policies from the Terrascan repository. To update with the latest policies remove the ~/.terrascan
directory from your system and run terrascan init
.
Ignoring Policies on a scan¶
Terrascan keeps a copy of policies on your local filesystem on the ~/.terrascan/pkg/policies/opa/rego
directory. You can also specify a particular directory with rego policies to scan by using the -p
flag. To ignore a particular policy from a scan, you can remove the rule .json
file for the policy you would like to ignore from the scan. Note that this policy would be ignored until the .json
file is added again to the directory.
In a future enhancement, Terrascan will have a better way to ignore individual policies from scans without having to modify the policies stored in the file system #367.
Adding policies¶
For each policy there are 2 files required by Terrascan, a rule .json
file with metadata for the policy and a .opa
rego file for the policy itself.
Writing an OPA rego policy file¶
The input for the rego policies is the normalized input from the IaC provider. When writing policies you can obtain this as a normalized .json
by using the --config-only
flag of the scan command in combination with -o json
. Let's use this Terraform HCL file for example:
resource "github_repository" "example" {
name = "example"
description = "My awesome codebase"
private = false
template {
owner = "github"
repository = "terraform-module-template"
}
}
Here's the output of the --config-only
flag.
$ terrascan scan -i terraform --config-only -o json
{
"github_repository": [
{
"id": "github_repository.example",
"name": "example",
"source": "main.tf",
"line": 1,
"type": "github_repository",
"config": {
"description": "My awesome codebase",
"name": "example",
"private": false,
"template": [
{
"owner": "github",
"repository": "terraform-module-template"
}
]
}
}
]
}
You can use this .json
output as the input in the rego playgound. The following policy can be used on the above Terraform to flag if the GitHub repository has been created with private = false
.
package accurics
privateRepoEnabled[api.id] {
api := input.github_repository[_]
not api.config.private == true
not api.config.visibility == "private"
}
A successful policy will trigger the following output:
{
"privateRepoEnabled": [
"github_repository.example"
]
}
The Rule JSON file¶
The rule files follow this naming convention: <cloud-provider>.<resource-type>.<rule-category>.<severity>.<next-available-rule-number>.json
Here's an example of the contents of a rule file:
{
"name": "unrestrictedIngressAccess",
"file": "unrestrictedIngressAccess.rego",
"template_args": {
"prefix": ""
},
"severity": "HIGH",
"description": " It is recommended that no security group allows unrestricted ingress access",
"reference_id": "AWS.SecurityGroup.NetworkSecurity.High.0094",
"category": "Network Ports Security",
"version": 2
}
Key | Value |
---|---|
name | Short name for the rule |
file | File name of the Rego policy |
template_args.prefix | Used for making rego policies unique |
severity | Likelihood * impact of issue |
description | Description of the issue found with this rule |
ruleReferenceId | Unique ID of the rule in the format <cloud-provider>.<resource-type>.<rule-category>.<severity>.<next-available-rule-number> |
category | Descriptive category for this rule |
version | Version number for the rule/rego |
aws_iam_role_policy¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity and Access Management | IamPolicy | HIGH | It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges. | AWS.IamPolicy.IAM.High.0392 |
aws_route53_record¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
DNS Management | Route53HostedZone | HIGH | Route53HostedZone should have recordSets. | AWS.Route53HostedZone.DNSManagement.High.0422 |
aws_api_gateway_method_settings¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Logging | API Gateway | MEDIUM | Enable Detailed CloudWatch Metrics for APIs | AWS.API Gateway.Logging.Medium.0569 |
aws_vpc¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Logging | VPC | MEDIUM | Avoid creating resources in default VPC | AWS.VPC.Logging.Medium.0471 |
Logging | VPC | MEDIUM | Ensure VPC flow logging is enabled in all VPCs | AWS.VPC.Logging.Medium.0470 |
aws_iam_account_password_policy¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
IAM | Iam | MEDIUM | Lower case alphabet not present in the Password, Password Complexity is not high. Increased Password complexity increases resiliency against brute force attack | AWS.Iam.IAM.Medium.0454 |
IAM | Iam | MEDIUM | Setting a lengthy password increases account resiliency against brute force loginĀ attempts | AWS.Iam.IAM.Medium.0458 |
IAM | Iam | LOW | It is recommended that the password policy prevent the reuse of passwords.Preventing password reuse increases account resiliency against brute force login attempts | AWS.Iam.IAM.Low.0539 |
IAM | Iam | MEDIUM | Number not present in the Password, Password Complexity is not high. Increased Password complexity increases resiliency against brute force attack | AWS.Iam.IAM.Medium.0455 |
IAM | Iam | MEDIUM | Setting a lengthy password increases account resiliency against brute force loginĀ attempts | AWS.Iam.IAM.Medium.0495 |
IAM | Iam | MEDIUM | Special symbols not present in the Password, Password Complexity is not high. Increased Password complexity increases resiliency against brute force attack | AWS.Iam.IAM.Medium.0456 |
IAM | Iam | MEDIUM | Upper case alphabet not present in the Password, Password Complexity is not high. Increased Password complexity increases resiliency against brute force attack | AWS.Iam.IAM.Medium.0457 |
IAM | Iam | LOW | Reducing the password lifetime increases account resiliency against brute force login attempts | AWS.Iam.IAM.Low.0540 |
aws_mq_broker¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | ElasticSearch | MEDIUM | Publicly Accessible MQ Brokers | AWS.ElasticSearch.NetworkSecurity.Medium.0887 |
Logging | ElasticSearch | MEDIUM | Enable AWS MQ Log Exports | AWS.ElasticSearch.Logging.Medium.0885 |
aws_db_instance¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | AWS RDS | HIGH | RDS Instance publicly_accessible flag is true | AWS.AWS RDS.NS.High.0101 |
Data Security | RDS | HIGH | Ensure Certificate used in RDS instance is updated | AWS.RDS.DS.High.1042 |
Data Security | RDS | HIGH | Ensure that your RDS database has IAM Authentication enabled. | AWS.RDS.DataSecurity.High.0577 |
Data Security | RDS | HIGH | RDS Instance Auto Minor Version Upgrade flag disabled | AWS.RDS.DS.High.1041 |
Data Security | RDS | HIGH | Ensure that your RDS database instances have automated backups enabled for point-in-time recovery. To back up your database instances, AWS RDS take automatically a full daily snapshot of your data (with transactions logs) during the specified backup window and keeps the backups for a limited period of time (known as retention period) defined by the instance owner. | AWS.RDS.DataSecurity.High.0414 |
aws_ebs_volume¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | EcsCluster | HIGH | Ensure that AWS EBS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS EBS clusters and associated cache storage systems. | AWS.EcsCluster.EncryptionandKeyManagement.High.0413 |
Encryption and Key Management | EBS | HIGH | Enable AWS EBS Snapshot Encryption | AWS.EBS.EKM.Medium.0682 |
aws_api_gateway_rest_api¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
APIGateway | MEDIUM | Enable Content Encoding | AWS.APIGateway.Medium.0568 | |
Network Security | APIGateway | MEDIUM | API Gateway Private Endpoints | AWS.APIGateway.Network Security.Medium.0570 |
aws_iam_role¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity and Access Management | IamPolicy | HIGH | It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges. | AWS.IamPolicy.IAM.High.0392 |
aws_ebs_encryption_by_default¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Data Security | EBS | HIGH | Ensure that the AWS EBS that hold sensitive and critical data is encrypted by default to fulfill compliance requirements for data-at-rest encryption. | AWS.EBS.DataSecurity.High.0580 |
aws_sns_topic¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | SNS | MEDIUM | Ensure SNS Topic is Publicly Accessible For Subscription | AWS.SNS.NS.Medium.1044 |
aws_apigatewayv2_api¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
AccessControl | ApiGatewayV2Api | Medium | Insecure Cross-Origin Resource Sharing Configuration allowing all domains | AWS.ApiGatewayV2Api.AccessControl.0630 |
aws_efs_file_system¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | EFS | HIGH | Enable encryption of your EFS file systems in order to protect your data and metadata from breaches or unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization. | AWS.EFS.EncryptionandKeyManagement.High.0409 |
Encryption and Key Management | EFS | HIGH | Enable encryption of your EFS file systems in order to protect your data and metadata from breaches or unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization. | AWS.EFS.EncryptionandKeyManagement.High.0410 |
aws_sqs_queue¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | SQS | HIGH | Identify any publicly accessible SQS queues available in your AWS account and update their permissions in order to protect against unauthorized users. | AWS.SQS.NetworkSecurity.High.0569 |
Network Security | SQS | HIGH | Ensure that your Amazon Simple Queue Service (SQS) queues are protecting the contents of their messages using Server-Side Encryption (SSE). The SQS service uses an AWS KMS Customer Master Key (CMK) to generate data keys required for the encryption/decryption process of SQS messages. There is no additional charge for using SQS Server-Side Encryption, however, there is a charge for using AWS KMS | AWS.SQS.NetworkSecurity.High.0570 |
aws_instance¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | json | MEDIUM | EC2 instances should disable IMDS or require IMDSv2 | AC-AWS-NS-IN-M-1172 |
Network Security | Instance | MEDIUM | Instance should be configured in vpc. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. | AWS.Instance.NetworkSecurity.Medium.0506 |
aws_config¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption & Key Management | Config | MEDIUM | Ensure AWS Config Rule is enabled for Encrypted Volumes | AWS.Config.Encryption&KeyManagement.Medium.0660 |
aws_cloudformation_stack¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
CloudFormation | MEDIUM | AWS CloudFormation Not In Use | AWS.CloudFormation.Medium.0599 | |
CloudFormation | MEDIUM | AWS CloudFormation Stack Policy | AWS.CloudFormation.Medium.0604 | |
CloudFormation | MEDIUM | Enable AWS CloudFormation Stack Termination Protection | AWS.CloudFormation.Medium.0605 | |
CloudFormation | MEDIUM | Enable AWS CloudFormation Stack Notifications | AWS.CloudFormation.Medium.0603 |
aws_iam_user_policy¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity and Access Management | IamPolicy | HIGH | It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges. | AWS.IamPolicy.IAM.High.0392 |
Identity and Access Management | IamUser | HIGH | Ensure Hardware MFA device is enabled for the "root" account | AWS.IamUser.IAM.High.0387 |
Identity and Access Management | IamUser | HIGH | Ensure Virtual MFA device is enabled for the "root" account | AWS.IamUser.IAM.High.0388 |
Identity and Access Management | IamUser | HIGH | It is recommended that MFA be enabled for all accounts that have a console password.Ā Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential | AWS.IamUser.IAM.High.0389 |
aws_ecs_task_definition¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | EcsCluster | HIGH | Like any other EC2 instance it is recommended to place ECS instance within a VPC. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations | AWS.EcsCluster.NetworkSecurity.High.0104 |
Data Security | LaunchConfiguration | HIGH | Sensitive Information Disclosure | AWS.LaunchConfiguration.DataSecurity.High.0101 |
aws_ecr_repository_policy¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Data Security | ECR | HIGH | Identify any exposed Amazon ECR image repositories available within your AWS account and update their permissions in order to protect against unauthorized access. Amazon Elastic Container Registry (ECR) is a managed Docker registry service that makes it easy for DevOps teams to store, manage and deploy Docker container images. An ECR repository is a collection of Docker images available on AWS cloud. | AWS.ECR.DataSecurity.High.0579 |
aws_iam_policy¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity and Access Management | IamPolicy | HIGH | It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges. | AWS.IamPolicy.IAM.High.0392 |
aws_apigatewayv2_stage¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Logging | ApiGatewayV2Stage | Low | AWS API Gateway V2 Stage is missing access logs | AWS.ApiGatewayV2Stage.Logging.0630 |
aws_ecr_repository¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Data Security | ECR | MEDIUM | Unscanned images may contain vulnerabilities | AWS.ECR.DataSecurity.High.0578 |
aws_cloudfront_distribution¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | CloudFront | HIGH | Secure ciphers are not used in CloudFront distribution | AWS.CloudFront.EncryptionandKeyManagement.High.0408 |
Network Security | CloudFront | LOW | Ensure that geo restriction is enabled for your Amazon CloudFront CDN distribution to whitelist or blacklist a country in order to allow or restrict users in specific locations from accessing web application content. | AWS.CloudFront.Network Security.Low.0568 |
Encryption and Key Management | CloudFront | HIGH | Use encrypted connection between CloudFront and origin server | AWS.CloudFront.EncryptionandKeyManagement.High.0407 |
Logging | CloudFront | MEDIUM | Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN). | AWS.CloudFront.Logging.Medium.0567 |
aws_cloudwatch¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Logging | CloudWatch | MEDIUM | App-Tier CloudWatch Log Group Retention Period | AWS.CloudWatch.Logging.Medium.0631 |
Encryption and Key Management | CloudWatch | HIGH | AWS CloudWatch log group is not encrypted with a KMS CMK | AWS.CloudWatch.EncryptionandKeyManagement.High.0632 |
aws_ami_launch_permission¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | AMI | MEDIUM | Limit access to AWS AMIs | AWS.AMI.NS.Medium.1040 |
aws_launch_configuration¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | EcsCluster | HIGH | Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. | AWS.EcsCluster.EncryptionandKeyManagement.High.0413 |
Data Security | LaunchConfiguration | HIGH | Avoid using base64 encoded private keys as part of config | AWS.LaunchConfiguration.DataSecurity.High.0102 |
Data Security | LaunchConfiguration | HIGH | Avoid using base64 encoded shell script as part of config | AWS.LaunchConfiguration.DataSecurity.High.0101 |
aws_api_gateway_stage¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | API Gateway | MEDIUM | Enable SSL Client Certificate | AWS.API Gateway.Network Security.Medium.0565 |
Logging | API Gateway | MEDIUM | Ensure that AWS CloudWatch logs are enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level. | AWS.API Gateway.Logging.Medium.0572 |
Logging | API Gateway | MEDIUM | Enable Active Tracing | AWS.API Gateway.Logging.Medium.0571 |
Logging | API Gateway | MEDIUM | Enable AWS CloudWatch Logs for APIs | AWS.API Gateway.Logging.Medium.0567 |
aws_elasticsearch_domain¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | ElasticSearch | MEDIUM | Enable AWS ElasticSearch Encryption At Rest | AWS.ElasticSearch.EKM.Medium.0778 |
Encryption and Key Management | ElasticSearch | MEDIUM | ElasticSearch Domain Encrypted with KMS CMKs | AWS.ElasticSearch.EKM.Medium.0768 |
Logging | Elasticsearch | MEDIUM | Ensure that your AWS Elasticsearch clusters have enabled the support for publishing slow logs to AWS CloudWatch Logs. This feature enables you to publish slow logs from the indexing and search operations performed on your ES clusters and gain full insight into the performance of these operations. | AWS.Elasticsearch.Logging.Medium.0573 |
aws_iam_user_login_profile¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity and Access Management | Iam | HIGH | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets, have minimal length, rotation and history restrictions | AWS.Iam.IAM.High.0391 |
aws_iam_group_policy¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity and Access Management | IamPolicy | HIGH | It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges. | AWS.IamPolicy.IAM.High.0392 |
aws_load_balancer_policy¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | ELB | HIGH | Using insecure ciphers for your ELB Predefined or Custom Security Policy, could make the SSL connection between the client and the load balancer vulnerable to exploits. TLS 1.0 was recommended to be disabled by PCI Council after June 30, 2016 | AWS.ELB.EncryptionandKeyManagement.High.0401 |
Encryption and Key Management | ELB | HIGH | Remove insecure ciphers for your ELB Predefined or Custom Security Policy, to reduce the risk of the SSL connection between the client and the load balancer being exploited. | AWS.ELB.EncryptionandKeyManagement.High.0403 |
aws_s3_bucket¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
IAM | S3Bucket | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.S3Bucket.IAM.High.0377 |
Network Security | S3Bucket | HIGH | Ensure that there are not any static websites being hosted on buckets you aren't aware of | AWS.S3Bucket.NetworkSecurity.High.0417 |
IAM | S3Bucket | HIGH | Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites | AWS.S3Bucket.IAM.High.0370 |
S3 | S3Bucket | HIGH | S3 bucket Access is allowed to all AWS Account Users. | AWS.S3Bucket.DS.High.1043 |
IAM | S3Bucket | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.S3Bucket.IAM.High.0379 |
Encryption and Key Management | S3Bucket | HIGH | Ensure that S3 Buckets have server side encryption at rest enabled with KMS key to protect sensitive data. | AWS.S3Bucket.EncryptionandKeyManagement.High.0405 |
IAM | S3Bucket | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.S3Bucket.IAM.High.0378 |
IAM | S3Bucket | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.S3Bucket.IAM.High.0381 |
aws_elb¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Ports Security | ELB | LOW | AWS ELB incoming traffic not encrypted | AWS.ELB.NetworkPortsSecurity.Low.0563 |
aws_redshift_cluster¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | Redshift | HIGH | Ensure Redshift clusters are not publicly accessible to minimize security risks. | AWS.Redshift.NetworkSecurity.HIGH.0564 |
Logging | Redshift | MEDIUM | Ensure audit logging is enabled for Redshift clusters for security and troubleshooting purposes. | AWS.Redshift.Logging.Medium.0565 |
Encryption and Key Management | Redshift | HIGH | Use customer-managed KMS keys instead of AWS-managed keys, to have granular control over encrypting and encrypting data.Ā Encrypt Redshift clusters with a Customer-managed KMS key. This is a recommended best practice. | AWS.Redshift.EncryptionandKeyManagement.High.0415 |
aws_kinesis_stream¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | Kinesis | HIGH | Kinesis Streams and metadata are not protected | AWS.Kinesis.EncryptionandKeyManagement.High.0412 |
aws_config_configuration_aggregator¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Logging | Config | HIGH | Ensure AWS Config is enabled in all regions | AWS.Config.Logging.HIGH.0590 |
aws_organizations_policy¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
IAM | Organizations | MEDIUM | Ensure that All Features is enabled within your Amazon Organizations to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). | AWS.Organizations.IAM.MEDIUM.0590 |
aws_route53_query_log¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Logging | Route53 query logs | MEDIUM | Ensure CloudWatch logging is enabled for Route53 hosted zones. | AWS.Route53 query logs.Logging.Medium.0574 |
aws_iam_access_key¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity and Access Management | IamUser | HIGH | The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. Removing access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged. | AWS.IamUser.IAM.High.0390 |
Identity and Access Management | IamUser | MEDIUM | Ensure that there are no exposed Amazon IAM access keys in order to protect your AWS resources against unapproved access | AWS.IamUser.IAM.High.0391 |
aws_guardduty_detector¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Logging | GuardDuty Enabled | MEDIUM | Ensure that Amazon GuardDuty service is currently enabled in all regions in order to protect your AWS environment and infrastructure (AWS accounts and resources, IAM credentials, guest operating systems, applications, etc) against security threats. AWS GuardDuty is a managed threat detection service that continuously monitors your VPC flow logs, AWS CloudTrail event logs and DNS logs for malicious or unauthorized behavior. The service monitors for activity such as unusual API calls, potentially compromised EC2 instances or potentially unauthorized deployments that indicate a possible AWS account compromise. AWS GuardDuty operates entirely on Amazon Web Services infrastructure and does not affect the performance or reliability of your applications. The service does not require any software agents, sensors or network appliances. | AWS.GuardDuty Enabled.Security.Medium.0575 |
aws_db_security_group¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | RDS | HIGH | RDS should not be defined with public interface. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment. | AWS.RDS.NetworkSecurity.High.0101 |
Network Security | RDS | HIGH | RDS should not be open to a large scope. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment. | AWS.RDS.NetworkSecurity.High.0103 |
Network Security | RDS | HIGH | RDS should not be open to a public scope. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment. | AWS.RDS.NetworkSecurity.High.0102 |
aws_s3_bucket_policy¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity and Access Management | S3Bucket | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.S3Bucket.IAM.High.0371 |
Identity and Access Management | IamPolicy | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.IamPolicy.IAM.High.0376 |
Identity and Access Management | IamPolicy | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.IamPolicy.IAM.High.0375 |
Identity and Access Management | IamPolicy | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.IamPolicy.IAM.High.0374 |
Identity and Access Management | S3Bucket | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.S3Bucket.IAM.High.0372 |
Identity and Access Management | IamPolicy | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.IamPolicy.IAM.High.0373 |
aws_ami¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption & KeyManagement | EC2 | MEDIUM | Enable AWS AMI Encryption | AWS.EC2.Encryption&KeyManagement.Medium.0688 |
aws_elasticache_cluster¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Data Security | ElastiCache | HIGH | ElastiCache for Redis version is not compliant with AWS PCI DSS requirements | AWS.ElastiCache.DataSecurity.High.0425 |
Data Security | ElastiCache | HIGH | ElastiCache for Memcached is not in use in AWS PCI DSS environments | AWS.ElastiCache.DataSecurity.High.0424 |
High Availability | ElastiCache | MEDIUM | AWS ElastiCache Multi-AZ | AWS.ElastiCache.HighAvailability.Medium.0757 |
aws_kinesis_firehose_delivery_stream¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | Kinesis | HIGH | AWS Kinesis Server data at rest has server side encryption (SSE) | AWS.Kinesis.EncryptionandKeyManagement.High.0411 |
aws_rds_cluster¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | RDS | HIGH | Encrypt Amazon RDS instances and snapshots at rest, by enabling the encryption option for your Amazon RDS DB instance | AWS.RDS.EncryptionandKeyManagement.High.0414 |
aws_cloudtrail¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Logging | CloudTrail | HIGH | Cloud Trail Log Not Enabled | AWS.CloudTrail.Logging.High.0399 |
Logging | CloudTrail | MEDIUM | Cloud Trail Multi Region not enabled | AWS.CloudTrail.Logging.Medium.0460 |
Logging | CloudTrail | MEDIUM | Ensure appropriate subscribers to each SNS topic | AWS.CloudTrail.Logging.Low.0559 |
aws_lambda_function¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Logging | LambdaFunction | Low | Lambda function doesn't not include a VPC configuration. | AWS.LambdaFunction.Logging.0472 |
Logging | LambdaFunction | LOW | Lambda tracing is not enabled. | AWS.LambdaFunction.Logging.0470 |
Encryption and Key Management | LambdaFunction | High | Lambda does not use KMS CMK key to protect environment variables. | AWS.LambdaFunction.EncryptionandKeyManagement.0471 |
aws_kms_key¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Logging | KMS | HIGH | Ensure rotation for customer created CMKs is enabled | AWS.KMS.Logging.High.0400 |
Network Security | KMS | HIGH | Identify any publicly accessible AWS Key Management Service master keys and update their access policy in order to stop any unsigned requests made to these resources. | AWS.KMS.NetworkSecurity.High.0566 |
aws_security_group¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Ports Security | ALB | MEDIUM | 'MSSQL Debugger' (TCP:135) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0236 |
Network Ports Security | ALB | MEDIUM | 'Cassandra OpsCenter agent port' (TCP:61621) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0220 |
Network Ports Security | SecurityGroup | HIGH | remote desktop port open to internet | AWS.SecurityGroup.NetworkPortsSecurity.Low.0562 |
Network Ports Security | ALB | MEDIUM | 'Memcached SSL' (TCP:11214) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0240 |
Network Ports Security | ALB | MEDIUM | 'NetBIOS Datagram Service' (TCP:138) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0256 |
Network Ports Security | ALB | MEDIUM | 'SNMP' (UDP:161) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0276 |
Network Ports Security | ALB | MEDIUM | 'NetBIOS Session Service' (TCP:139) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0260 |
Network Ports Security | ALB | MEDIUM | 'LDAP SSL ' (TCP:636) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0230 |
Network Ports Security | ALB | MEDIUM | 'Known internal web port' (TCP:8000) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0226 |
Network Ports Security | ALB | MEDIUM | 'Postgres SQL' (UDP:5432) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0270 |
Network Ports Security | SecurityGroup | HIGH | It is recommended that no security group allows unrestricted ingress access | AWS.SecurityGroup.NPS.High.1045 |
Network Ports Security | ALB | MEDIUM | 'Oracle DB SSL' (UDP:2484) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0266 |
Network Ports Security | SecurityGroup | HIGH | A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.Ā Configuring the default security group to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resource into security groups which will in-turn reduce the exposure of those resources. | AWS.SecurityGroup.NetworkSecurity.High.0097 |
Network Ports Security | ALB | MEDIUM | 'Memcached SSL' (UDP:11215) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0246 |
Network Ports Security | ALB | MEDIUM | 'SaltStack Master' (TCP:4505) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0196 |
Network Ports Security | ALB | MEDIUM | 'MySQL' (TCP:3306) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0250 |
Network Ports Security | ALB | MEDIUM | 'Known internal web port' (TCP:8080) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0228 |
Network Ports Security | SecurityGroup | HIGH | It is recommended that no security group allows unrestricted ingress access | AWS.SecurityGroup.NetworkSecurity.High.0094 |
Network Ports Security | ALB | MEDIUM | 'Hadoop Name Node' (TCP:9000) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0224 |
Network Ports Security | SecurityGroup | HIGH | Unknown Port is exposed to the entire internet | AWS.SecurityGroup.NPS.High.1046 |
Network Ports Security | ALB | MEDIUM | 'MSSQL Admin' (TCP:1434) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0232 |
Network Ports Security | ALB | MEDIUM | 'Mongo Web Portal' (TCP:27018) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0248 |
Network Ports Security | ALB | MEDIUM | 'Oracle DB SSL' (TCP:2484) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0264 |
Network Ports Security | ALB | MEDIUM | 'Prevalent known internal port' (TCP:3000) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0272 |
Network Ports Security | ALB | MEDIUM | 'NetBIOS Name Service' (TCP:137) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0252 |
Network Ports Security | ALB | HIGH | 'SSH' (TCP:22) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0194 |
Network Ports Security | ALB | MEDIUM | 'Memcached SSL' (UDP:11214) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0244 |
Network Ports Security | ALB | MEDIUM | 'Postgres SQL' (TCP:5432) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0268 |
Network Ports Security | ALB | MEDIUM | 'Cassandra' (TCP:7001) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0222 |
Network Ports Security | ALB | MEDIUM | 'MSSQL Browser Service' (UDP:1434) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0234 |
Network Ports Security | ALB | MEDIUM | 'CIFS / SMB' (TCP:3020) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0218 |
Network Ports Security | ALB | MEDIUM | 'SQL Server Analysis Services' (TCP:2383) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0280 |
Network Ports Security | ALB | MEDIUM | 'MSSQL Server' (TCP:1433) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0238 |
Network Ports Security | SecurityGroup | HIGH | ssh port open to internet | AWS.SecurityGroup.NetworkPortsSecurity.Low.0560 |
Network Ports Security | ALB | MEDIUM | 'NetBIOS Name Service' (UDP:137) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0254 |
Network Ports Security | SecurityGroup | HIGH | http port open to internet | AWS.SecurityGroup.NetworkPortsSecurity.Low.0561 |
Network Ports Security | ALB | MEDIUM | 'Memcached SSL' (TCP:11215) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0242 |
Network Ports Security | ALB | MEDIUM | 'SQL Server Analysis Service browser' (TCP:2382) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0278 |
Network Ports Security | ALB | MEDIUM | 'NetBIOS Datagram Service' (UDP:138) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0258 |
Network Ports Security | ALB | MEDIUM | 'NetBIOS Session Service' (UDP:139) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0262 |
Network Ports Security | ALB | MEDIUM | 'Puppet Master' (TCP:8140) is accessible by a CIDR block range | AWS.ALB.NetworkPortsSecurity.High.0274 |
aws_ecs_service¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity and Access Management | ECS | HIGH | Ensure there are no ECS services Admin roles | AWS.ECS.High.0436 |
azurerm_virtual_machine¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | azure | HIGH | Ensure that at least one Network Security Group is attached to all VMs and subnets that are public | accurics.azure.NS.18 |
azurerm_storage_container¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity and Access Management | azure | HIGH | Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. This is only recommended if absolutely necessary. | accurics.azure.IAM.368 |
azurerm_mysql_server¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | azure | HIGH | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server. | accurics.azure.NS.361 |
azurerm_sql_firewall_rule¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | azure | MEDIUM | Restrict Azure SQL Server accessibility to a minimal address range | accurics.azure.NS.169 |
Network Security | azure | HIGH | Ensure entire Azure infrastructure doesn't have access to Azure SQL ServerEnsure entire Azure infrastructure doesn't have access to Azure SQL Server | accurics.azure.NS.5 |
Network Security | azure | HIGH | Ensure that no SQL Server allows ingress from 0.0.0.0/0 (ANY IP) | accurics.azure.NS.21 |
azurerm_key_vault¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | azure | MEDIUM | Ensure the key vault is recoverable - enable "Soft Delete" setting for a Key Vault | accurics.azure.EKM.164 |
Encryption and Key Management | azure | HIGH | Ensure that logging for Azure KeyVault is 'Enabled' | accurics.azure.EKM.20 |
azurerm_resource_group¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | azure | LOW | Ensure that Azure Resource Group has resource lock enabled | accurics.azure.NS.272 |
azurerm_storage_account_network_rules¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | azure | MEDIUM | Ensure default network access rule for Storage Accounts is set to deny. | accurics.azure.NS.370 |
azurerm_storage_account¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | azure | HIGH | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | accurics.azure.NS.2 |
Network Security | azure | HIGH | Ensure default network access rule for Storage Accounts is not open to public | accurics.azure.NS.4 |
Encryption and Key Management | azure | HIGH | Ensure that 'Secure transfer required' is enabled for Storage Accounts | accurics.azure.EKM.7 |
azurerm_sql_server¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Monitoring | azure | MEDIUM | Ensure that 'Auditing' is set to 'On' for SQL servers | accurics.azure.MON.354 |
Identity and Access Management | azure | HIGH | Ensure that Azure Active Directory Admin is configured for SQL Server | accurics.azure.IAM.10 |
Identity and Access Management | azure | MEDIUM | Avoid using names like 'Admin' for an Azure SQL Server admin account login | accurics.azure.IAM.138 |
Logging | azure | MEDIUM | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers. | accurics.azure.LOG.356 |
azurerm_postgresql_configuration¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Logging | azure | MEDIUM | Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server | accurics.azure.LOG.154 |
Logging | azure | MEDIUM | Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | accurics.azure.LOG.155 |
Logging | azure | MEDIUM | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | accurics.azure.LOG.152 |
Logging | azure | MEDIUM | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | accurics.azure.LOG.364 |
Logging | azure | MEDIUM | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | accurics.azure.LOG.153 |
Logging | azure | MEDIUM | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | accurics.azure.LOG.151 |
azurerm_sql_database¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Monitoring | azure | MEDIUM | Ensure that 'Threat Detection' is enabled for Azure SQL Database | accurics.azure.MON.157 |
azurerm_redis_cache¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | azure | HIGH | Ensure that Redis is updated regularly with security and operational updates.Note this feature is only available to Premium tier Redis Caches. | accurics.azure.NS.13 |
Encryption and Key Management | azure | MEDIUM | Ensure that the Redis Cache accepts only SSL connections | accurics.azure.EKM.23 |
Network Security | azure | HIGH | Ensure there are no firewall rules allowing unrestricted access to Redis from other Azure sources | accurics.azure.NS.31 |
Network Security | azure | HIGH | Ensure there are no firewall rules allowing unrestricted access to Redis from the Internet | accurics.azure.NS.30 |
Network Security | azure | MEDIUM | Ensure there are no firewall rules allowing Redis Cache access for a large number of source IPs | accurics.azure.NS.166 |
azurerm_mssql_server¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Monitoring | azure | MEDIUM | Ensure that 'Auditing' is set to 'On' for MSSQL servers | accurics.azure.MON.355 |
Monitoring | azure | MEDIUM | Ensure that 'Auditing' Retention is 'greater than 90 days' for MSSQL servers. | accurics.azure.LOG.357 |
azurerm_kubernetes_cluster¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | azure | MEDIUM | Ensure Kube Dashboard is disabled | accurics.azure.NS.383 |
Network Security | azure | MEDIUM | Ensure AKS cluster has Network Policy configured. | accurics.azure.NS.382 |
azurerm_managed_disk¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | azure | MEDIUM | Ensure that 'OS disk' are encrypted | accurics.azure.EKM.156 |
azurerm_network_watcher_flow_log¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | azure | MEDIUM | Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days. Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches. | accurics.azure.NS.342 |
Network Security | azure | HIGH | Enable Network Watcher for Azure subscriptions. Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure. | accurics.azure.NS.11 |
azurerm_key_vault_secret¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Key Management | azure | HIGH | Ensure that the expiration date is set on all secrets | accurics.azure.EKM.26 |
azurerm_key_vault_key¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Key Management | azure | HIGH | Ensure that the expiration date is set on all keys | accurics.azure.EKM.25 |
azurerm_security_center_contact¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Monitoring | azure | MEDIUM | Ensure that 'Send email notification for high severity alerts' is set to 'On' | accurics.azure.MON.353 |
azurerm_network_security_rule¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Ports Security | azure | LOW | VNC Listener (TCP:5500) is exposed to small Private network | accurics.azure.NPS.314 |
Network Ports Security | azure | MEDIUM | VNC Listener (TCP:5500) is exposed to small Public network | accurics.azure.NPS.251 |
Network Ports Security | azure | MEDIUM | Cassandra OpsCenter (TCP:61621) is exposed to wide Private network | accurics.azure.NPS.178 |
Network Ports Security | azure | MEDIUM | Memcached SSL (TCP:11214) is exposed to small Public network | accurics.azure.NPS.197 |
Network Ports Security | azure | MEDIUM | Microsoft-DS (TCP:445) is exposed to wide Private network | accurics.azure.NPS.206 |
Network Ports Security | azure | HIGH | NetBIOS Name Service (TCP:137) is exposed to wide Public network | accurics.azure.NPS.76 |
Network Ports Security | azure | HIGH | Prevalent known internal port (TCP:3000) is exposed to entire Public network | accurics.azure.NPS.99 |
Network Ports Security | azure | MEDIUM | MySQL (TCP:3306) is exposed to wide Private network | accurics.azure.NPS.210 |
Network Ports Security | azure | HIGH | MSSQL Server (TCP:1433) is exposed to wide Public network | accurics.azure.NPS.60 |
Network Ports Security | azure | LOW | POP3 (TCP:110) is exposed to small Private network | accurics.azure.NPS.302 |
Network Ports Security | azure | MEDIUM | SaltStack Master (TCP:4506) is exposed to small Public network | accurics.azure.NPS.247 |
Network Ports Security | azure | HIGH | SSH (TCP:22) is exposed to the wide public internet | accurics.azure.NPS.37 |
Network Ports Security | azure | MEDIUM | Hadoop Name Node (TCP:9000) is exposed to small Public network | accurics.azure.NPS.181 |
Network Ports Security | azure | HIGH | Telnet (TCP:23) is exposed to entire Public network | accurics.azure.NPS.115 |
Network Ports Security | azure | LOW | MSSQL Browser (UDP:1434) is exposed to small Private network | accurics.azure.NPS.284 |
Network Ports Security | azure | LOW | Mongo Web Portal (TCP:27018) is exposed to small Private network | accurics.azure.NPS.292 |
Network Ports Security | azure | HIGH | SMTP (TCP:25) is exposed to entire Public network | accurics.azure.NPS.103 |
Network Ports Security | azure | MEDIUM | CIFS / SMB (TCP:3020) is exposed to wide Private network | accurics.azure.NPS.174 |
Network Ports Security | azure | HIGH | PostgreSQL (TCP:5432) is exposed to entire Public network | accurics.azure.NPS.95 |
Network Ports Security | azure | HIGH | NetBIOS Datagram Service (UDP:138) is exposed to entire Public network | accurics.azure.NPS.83 |
Network Ports Security | azure | HIGH | VNC Server (TCP:5900) is exposed to entire Public network | accurics.azure.NPS.119 |
Network Ports Security | azure | HIGH | Cassandra (TCP:7001) is exposed to wide Public network | accurics.azure.NPS.40 |
Network Ports Security | azure | MEDIUM | PostgreSQL (TCP:5432) is exposed to wide Private network | accurics.azure.NPS.230 |
Network Ports Security | azure | LOW | Memcached SSL (TCP:11215) is exposed to small Private network | accurics.azure.NPS.288 |
Network Ports Security | azure | HIGH | MSSQL Browser (UDP:1434) is exposed to wide Public network | accurics.azure.NPS.56 |
Network Ports Security | azure | MEDIUM | Oracle DB SSL (UDP:2484) is exposed to wide Private network | accurics.azure.NPS.226 |
Network Ports Security | azure | MEDIUM | POP3 (TCP:110) is exposed to small Public network | accurics.azure.NPS.227 |
Network Ports Security | azure | HIGH | MSSQL Browser (UDP:1434) is exposed to entire Public network | accurics.azure.NPS.57 |
Network Ports Security | azure | LOW | Memcached SSL (UDP:11214) is exposed to small Private network | accurics.azure.NPS.289 |
Network Ports Security | azure | MEDIUM | PostgreSQL (UDP:5432) is exposed to small Public network | accurics.azure.NPS.231 |
Network Ports Security | azure | HIGH | VNC Server (TCP:5900) is exposed to wide Public network | accurics.azure.NPS.118 |
Network Ports Security | azure | HIGH | Cassandra (TCP:7001) is exposed to entire Public network | accurics.azure.NPS.41 |
Network Ports Security | azure | HIGH | NetBIOS Datagram Service (UDP:138) is exposed to wide Public network | accurics.azure.NPS.82 |
Network Ports Security | azure | HIGH | PostgreSQL (TCP:5432) is exposed to wide Public network | accurics.azure.NPS.94 |
Network Ports Security | azure | MEDIUM | Cassandra (TCP:7001) is exposed to small Public network | accurics.azure.NPS.175 |
Network Ports Security | azure | HIGH | SMTP (TCP:25) is exposed to wide Public network | accurics.azure.NPS.102 |
Network Ports Security | azure | LOW | MySQL (TCP:3306) is exposed to small Private network | accurics.azure.NPS.293 |
Network Ports Security | azure | LOW | MSSQL Debugger (TCP:135) is exposed to small Private network | accurics.azure.NPS.285 |
Network Ports Security | azure | HIGH | Telnet (TCP:23) is exposed to wide Public network | accurics.azure.NPS.114 |
Network Ports Security | azure | HIGH | Remote Desktop (TCP:3389) is exposed to the wide public internet | accurics.azure.NPS.36 |
Network Ports Security | azure | MEDIUM | DNS (UDP:53) is exposed to wide Private network | accurics.azure.NPS.180 |
Network Ports Security | azure | LOW | PostgreSQL (TCP:5432) is exposed to small Private network | accurics.azure.NPS.303 |
Network Ports Security | azure | MEDIUM | SaltStack Master (TCP:4505) is exposed to wide Private network | accurics.azure.NPS.246 |
Network Ports Security | azure | HIGH | MSSQL Server (TCP:1433) is exposed to entire Public network | accurics.azure.NPS.61 |
Network Ports Security | azure | MEDIUM | NetBIOS Name Service (TCP:137) is exposed to small Public network | accurics.azure.NPS.211 |
Network Ports Security | azure | HIGH | NetBIOS Name Service (TCP:137) is exposed to entire Public network | accurics.azure.NPS.77 |
Network Ports Security | azure | HIGH | Prevalent known internal port (TCP:3000) is exposed to wide Public network | accurics.azure.NPS.98 |
Network Ports Security | azure | MEDIUM | Mongo Web Portal (TCP:27018) is exposed to small Public network | accurics.azure.NPS.207 |
Network Ports Security | azure | MEDIUM | DNS (UDP:53) is exposed to small Public network | accurics.azure.NPS.179 |
Network Ports Security | azure | MEDIUM | MSSQL Server (TCP:1433) is exposed to wide Private network | accurics.azure.NPS.196 |
Network Ports Security | azure | LOW | VNC Server (TCP:5900) is exposed to small Private network | accurics.azure.NPS.315 |
Network Ports Security | azure | MEDIUM | Telnet (TCP:23) is exposed to wide Private network | accurics.azure.NPS.250 |
Network Ports Security | azure | HIGH | SSH (TCP:22) is exposed to the entire public internet | accurics.azure.NPS.172 |
Network Ports Security | azure | HIGH | POP3 (TCP:110) is exposed to entire Public network | accurics.azure.NPS.93 |
Network Ports Security | azure | HIGH | NetBIOS Session Service (TCP:139) is exposed to entire Public network | accurics.azure.NPS.85 |
Network Ports Security | azure | LOW | SNMP (UDP:161) is exposed to small Private network | accurics.azure.NPS.308 |
Network Ports Security | azure | HIGH | Hadoop Name Node (TCP:9000) is exposed to wide Public network | accurics.azure.NPS.46 |
Network Ports Security | azure | MEDIUM | Puppet Master (TCP:8140) is exposed to wide Private network | accurics.azure.NPS.236 |
Network Ports Security | azure | LOW | Cassandra OpsCenter (TCP:61621) is exposed to small Private network | accurics.azure.NPS.277 |
Network Ports Security | azure | LOW | NetBIOS Session Service (TCP:139) is exposed to small Private network | accurics.azure.NPS.298 |
Network Ports Security | azure | HIGH | SQL Server Analysis (TCP:2383) is exposed to entire Public network | accurics.azure.NPS.109 |
Network Ports Security | azure | HIGH | Known internal web port (TCP:8080) is exposed to wide Public network | accurics.azure.NPS.50 |
Network Ports Security | azure | MEDIUM | NetBIOS Session Service (TCP:139) is exposed to wide Private network | accurics.azure.NPS.220 |
Network Ports Security | azure | LOW | SaltStack Master (TCP:4506) is exposed to small Private network | accurics.azure.NPS.312 |
Network Ports Security | azure | MEDIUM | MSSQL Browser (UDP:1434) is exposed to small Public network | accurics.azure.NPS.191 |
Network Ports Security | azure | MEDIUM | Memcached SSL (TCP:11215) is exposed to wide Private network | accurics.azure.NPS.200 |
Network Ports Security | azure | HIGH | Microsoft-DS (TCP:445) is exposed to wide Public network | accurics.azure.NPS.70 |
Network Ports Security | azure | MEDIUM | NetBIOS Datagram Service (TCP:138) is exposed to wide Private network | accurics.azure.NPS.216 |
Network Ports Security | azure | HIGH | Memcached SSL (UDP:11214) is exposed to wide Public network | accurics.azure.NPS.66 |
Network Ports Security | azure | HIGH | Oracle DB SSL (TCP:2484) is exposed to entire Public network | accurics.azure.NPS.89 |
Network Ports Security | azure | LOW | PostgreSQL (UDP:5432) is exposed to small Private network | accurics.azure.NPS.304 |
Network Ports Security | azure | MEDIUM | SQL Server Analysis (TCP:2382) is exposed to small Public network | accurics.azure.NPS.241 |
Network Ports Security | azure | MEDIUM | LDAP SSL (TCP:636) is exposed to small Public network | accurics.azure.NPS.187 |
Network Ports Security | azure | HIGH | SaltStack Master (TCP:4506) is exposed to entire Public network | accurics.azure.NPS.113 |
Network Ports Security | azure | LOW | LDAP SSL (TCP:636) is exposed to small Private network | accurics.azure.NPS.282 |
Network Ports Security | azure | LOW | NetBIOS Name Service (TCP:137) is exposed to small Private network | accurics.azure.NPS.294 |
Network Ports Security | azure | HIGH | SNMP (UDP:161) is exposed to entire Public network | accurics.azure.NPS.105 |
Network Ports Security | azure | HIGH | SNMP (UDP:161) is exposed to wide Public network | accurics.azure.NPS.104 |
Network Ports Security | azure | LOW | NetBIOS Name Service (UDP:137) is exposed to small Private network | accurics.azure.NPS.295 |
Network Ports Security | azure | LOW | MSSQL Admin (TCP:1434) is exposed to small Private network | accurics.azure.NPS.283 |
Network Ports Security | azure | HIGH | SaltStack Master (TCP:4506) is exposed to wide Public network | accurics.azure.NPS.112 |
Network Ports Security | azure | MEDIUM | Known internal web port (TCP:8080) is exposed to wide Private network | accurics.azure.NPS.186 |
Network Ports Security | azure | LOW | Prevalent known internal port (TCP:3000) is exposed to small Private network | accurics.azure.NPS.305 |
Network Ports Security | azure | MEDIUM | SNMP (UDP:161) is exposed to wide Private network | accurics.azure.NPS.240 |
Network Ports Security | azure | HIGH | Memcached SSL (UDP:11214) is exposed to entire Public network | accurics.azure.NPS.67 |
Network Ports Security | azure | HIGH | Oracle DB SSL (TCP:2484) is exposed to wide Public network | accurics.azure.NPS.88 |
Network Ports Security | azure | MEDIUM | NetBIOS Datagram Service (UDP:138) is exposed to small Public network | accurics.azure.NPS.217 |
Network Ports Security | azure | HIGH | Microsoft-DS (TCP:445) is exposed to entire Public network | accurics.azure.NPS.71 |
Network Ports Security | azure | MEDIUM | Memcached SSL (UDP:11214) is exposed to small Public network | accurics.azure.NPS.201 |
Network Ports Security | azure | MEDIUM | MSSQL Admin (TCP:1434) is exposed to wide Private network | accurics.azure.NPS.190 |
Network Ports Security | azure | LOW | Telnet (TCP:23) is exposed to small Private network | accurics.azure.NPS.313 |
Network Ports Security | azure | MEDIUM | NetBIOS Session Service (UDP:139) is exposed to small Public network | accurics.azure.NPS.221 |
Network Ports Security | azure | HIGH | SQL Server Analysis (TCP:2383) is exposed to wide Public network | accurics.azure.NPS.108 |
Network Ports Security | azure | HIGH | Known internal web port (TCP:8080) is exposed to entire Public network | accurics.azure.NPS.51 |
Network Ports Security | azure | LOW | Cassandra (TCP:7001) is exposed to small Private network | accurics.azure.NPS.276 |
Network Ports Security | azure | LOW | NetBIOS Session Service (UDP:139) is exposed to small Private network | accurics.azure.NPS.299 |
Network Ports Security | azure | MEDIUM | SMTP (TCP:25) is exposed to small Public network | accurics.azure.NPS.237 |
Network Ports Security | azure | HIGH | Hadoop Name Node (TCP:9000) is exposed to entire Public network | accurics.azure.NPS.47 |
Network Ports Security | azure | LOW | SQL Server Analysis (TCP:2382) is exposed to small Private network | accurics.azure.NPS.309 |
Network Ports Security | azure | HIGH | NetBIOS Session Service (TCP:139) is exposed to wide Public network | accurics.azure.NPS.84 |
Network Ports Security | azure | HIGH | POP3 (TCP:110) is exposed to wide Public network | accurics.azure.NPS.92 |
Network Ports Security | azure | MEDIUM | CIFS / SMB (TCP:3020) is exposed to small Public network | accurics.azure.NPS.173 |
Network Ports Security | azure | MEDIUM | NetBIOS Session Service (UDP:139) is exposed to wide Private network | accurics.azure.NPS.222 |
Network Ports Security | azure | HIGH | LDAP SSL (TCP:636) is exposed to wide Public network | accurics.azure.NPS.52 |
Network Ports Security | azure | LOW | CIFS / SMB (TCP:3020) is exposed to small Private network | accurics.azure.NPS.275 |
Network Ports Security | azure | MEDIUM | Prevalent known internal port (TCP:3000) is exposed to wide Private network | accurics.azure.NPS.234 |
Network Ports Security | azure | HIGH | DNS (UDP:53) is exposed to wide Public network | accurics.azure.NPS.44 |
Network Ports Security | azure | MEDIUM | MSSQL Admin (TCP:1434) is exposed to small Public network | accurics.azure.NPS.189 |
Network Ports Security | azure | MEDIUM | NetBIOS Datagram Service (UDP:138) is exposed to wide Private network | accurics.azure.NPS.218 |
Network Ports Security | azure | HIGH | NetBIOS Session Service (UDP:139) is exposed to entire Public network | accurics.azure.NPS.87 |
Network Ports Security | azure | HIGH | Memcached SSL (UDP:11215) is exposed to wide Public network | accurics.azure.NPS.68 |
Network Ports Security | azure | HIGH | Oracle DB SSL (UDP:2484) is exposed to entire Public network | accurics.azure.NPS.91 |
Network Ports Security | azure | HIGH | CiscoSecure, WebSM (TCP:9090) is exposed to the entire public internet | accurics.azure.NPS.170 |
Network Ports Security | azure | HIGH | SQL Server Analysis (TCP:2382) is exposed to entire Public network | accurics.azure.NPS.107 |
Network Ports Security | azure | LOW | NetBIOS Datagram Service (TCP:138) is exposed to small Private network | accurics.azure.NPS.296 |
Network Ports Security | azure | LOW | Hadoop Name Node (TCP:9000) is exposed to small Private network | accurics.azure.NPS.279 |
Network Ports Security | azure | LOW | Known internal web port (TCP:8000) is exposed to small Private network | accurics.azure.NPS.280 |
Network Ports Security | azure | HIGH | Known internal web port (TCP:8000) is exposed to wide Public network | accurics.azure.NPS.48 |
Network Ports Security | azure | HIGH | SaltStack Master (TCP:4505) is exposed to entire Public network | accurics.azure.NPS.111 |
Network Ports Security | azure | MEDIUM | SMTP (TCP:25) is exposed to wide Private network | accurics.azure.NPS.238 |
Network Ports Security | azure | MEDIUM | Known internal web port (TCP:8080) is exposed to small Public network | accurics.azure.NPS.185 |
Network Ports Security | azure | MEDIUM | SQL Server Analysis (TCP:2383) is exposed to small Public network | accurics.azure.NPS.243 |
Network Ports Security | azure | LOW | Puppet Master (TCP:8140) is exposed to small Private network | accurics.azure.NPS.306 |
Network Ports Security | azure | HIGH | Memcached SSL (TCP:11215) is exposed to wide Public network | accurics.azure.NPS.64 |
Network Ports Security | azure | MEDIUM | NetBIOS Name Service (UDP:137) is exposed to wide Private network | accurics.azure.NPS.214 |
Network Ports Security | azure | HIGH | Mongo Web Portal (TCP:27018) is exposed to wide Public network | accurics.azure.NPS.72 |
Network Ports Security | azure | MEDIUM | Memcached SSL (UDP:11214) is exposed to wide Private network | accurics.azure.NPS.202 |
Network Ports Security | azure | MEDIUM | MSSQL Debugger (TCP:135) is exposed to small Public network | accurics.azure.NPS.193 |
Network Ports Security | azure | LOW | SQL Server Analysis (TCP:2383) is exposed to small Private network | accurics.azure.NPS.310 |
Network Ports Security | azure | MEDIUM | VNC Server (TCP:5900) is exposed to wide Private network | accurics.azure.NPS.254 |
Network Ports Security | azure | LOW | SaltStack Master (TCP:4505) is exposed to small Private network | accurics.azure.NPS.311 |
Network Ports Security | azure | MEDIUM | MSSQL Browser (UDP:1434) is exposed to wide Private network | accurics.azure.NPS.192 |
Network Ports Security | azure | MEDIUM | Memcached SSL (UDP:11215) is exposed to small Public network | accurics.azure.NPS.203 |
Network Ports Security | azure | HIGH | Mongo Web Portal (TCP:27018) is exposed to entire Public network | accurics.azure.NPS.73 |
Network Ports Security | azure | MEDIUM | NetBIOS Datagram Service (TCP:138) is exposed to small Public network | accurics.azure.NPS.215 |
Network Ports Security | azure | HIGH | Memcached SSL (TCP:11215) is exposed to entire Public network | accurics.azure.NPS.65 |
Network Ports Security | azure | MEDIUM | SQL Server Analysis (TCP:2382) is exposed to wide Private network | accurics.azure.NPS.242 |
Network Ports Security | azure | LOW | SMTP (TCP:25) is exposed to small Private network | accurics.azure.NPS.307 |
Network Ports Security | azure | MEDIUM | Known internal web port (TCP:8000) is exposed to wide Private network | accurics.azure.NPS.184 |
Network Ports Security | azure | MEDIUM | SNMP (UDP:161) is exposed to small Public network | accurics.azure.NPS.239 |
Network Ports Security | azure | HIGH | Known internal web port (TCP:8000) is exposed to entire Public network | accurics.azure.NPS.49 |
Network Ports Security | azure | HIGH | SaltStack Master (TCP:4505) is exposed to wide Public network | accurics.azure.NPS.110 |
Network Ports Security | azure | LOW | Known internal web port (TCP:8080) is exposed to small Private network | accurics.azure.NPS.281 |
Network Ports Security | azure | LOW | NetBIOS Datagram Service (UDP:138) is exposed to small Private network | accurics.azure.NPS.297 |
Network Ports Security | azure | LOW | DNS (UDP:53) is exposed to small Private network | accurics.azure.NPS.278 |
Network Ports Security | azure | HIGH | SQL Server Analysis (TCP:2382) is exposed to wide Public network | accurics.azure.NPS.106 |
Network Ports Security | azure | HIGH | Remote Desktop (TCP:3389) is exposed to the entire public internet | accurics.azure.NPS.171 |
Network Ports Security | azure | HIGH | Oracle DB SSL (UDP:2484) is exposed to wide Public network | accurics.azure.NPS.90 |
Network Ports Security | azure | HIGH | NetBIOS Session Service (UDP:139) is exposed to wide Public network | accurics.azure.NPS.86 |
Network Ports Security | azure | HIGH | Memcached SSL (UDP:11215) is exposed to entire Public network | accurics.azure.NPS.69 |
Network Ports Security | azure | MEDIUM | NetBIOS Session Service (TCP:139) is exposed to small Public network | accurics.azure.NPS.219 |
Network Ports Security | azure | MEDIUM | LDAP SSL (TCP:636) is exposed to wide Private network | accurics.azure.NPS.188 |
Network Ports Security | azure | HIGH | DNS (UDP:53) is exposed to entire Public network | accurics.azure.NPS.45 |
Network Ports Security | azure | MEDIUM | Puppet Master (TCP:8140) is exposed to small Public network | accurics.azure.NPS.235 |
Network Ports Security | azure | HIGH | LDAP SSL (TCP:636) is exposed to entire Public network | accurics.azure.NPS.53 |
Network Ports Security | azure | MEDIUM | Oracle DB SSL (TCP:2484) is exposed to small Public network | accurics.azure.NPS.223 |
Network Ports Security | azure | HIGH | MSSQL Debugger (TCP:135) is exposed to wide Public network | accurics.azure.NPS.58 |
Network Ports Security | azure | HIGH | Puppet Master (TCP:8140) is exposed to entire Public network | accurics.azure.NPS.101 |
Network Ports Security | azure | MEDIUM | POP3 (TCP:110) is exposed to wide Private network | accurics.azure.NPS.228 |
Network Ports Security | azure | LOW | Memcached SSL (UDP:11215) is exposed to small Private network | accurics.azure.NPS.290 |
Network Ports Security | azure | LOW | MSSQL Server (TCP:1433) is exposed to small Private network | accurics.azure.NPS.286 |
Network Ports Security | azure | HIGH | VNC Listener (TCP:5500) is exposed to entire Public network | accurics.azure.NPS.117 |
Network Ports Security | azure | MEDIUM | Known internal web port (TCP:8000) is exposed to small Public network | accurics.azure.NPS.183 |
Network Ports Security | azure | HIGH | CiscoSecure, WebSM (TCP:9090) is exposed to the wide public internet | accurics.azure.NPS.35 |
Network Ports Security | azure | MEDIUM | SaltStack Master (TCP:4505) is exposed to small Public network | accurics.azure.NPS.245 |
Network Ports Security | azure | LOW | Oracle DB SSL (TCP:2484) is exposed to small Private network | accurics.azure.NPS.300 |
Network Ports Security | azure | HIGH | Memcached SSL (TCP:11214) is exposed to wide Public network | accurics.azure.NPS.62 |
Network Ports Security | azure | MEDIUM | NetBIOS Name Service (TCP:137) is exposed to wide Private network | accurics.azure.NPS.212 |
Network Ports Security | azure | HIGH | MySQL (TCP:3306) is exposed to wide Public network | accurics.azure.NPS.74 |
Network Ports Security | azure | MEDIUM | Memcached SSL (UDP:11215) is exposed to wide Private network | accurics.azure.NPS.204 |
Network Ports Security | azure | MEDIUM | MSSQL Server (TCP:1433) is exposed to small Public network | accurics.azure.NPS.195 |
Network Ports Security | azure | MEDIUM | VNC Server (TCP:5900) is exposed to small Public network | accurics.azure.NPS.253 |
Network Ports Security | azure | MEDIUM | Oracle DB SSL (TCP:2484) is exposed to wide Private network | accurics.azure.NPS.224 |
Network Ports Security | azure | HIGH | MSSQL Admin (TCP:1434) is exposed to wide Public network | accurics.azure.NPS.54 |
Network Ports Security | azure | MEDIUM | PostgreSQL (UDP:5432) is exposed to wide Private network | accurics.azure.NPS.232 |
Network Ports Security | azure | HIGH | Cassandra OpsCenter (TCP:61621) is exposed to wide Public network | accurics.azure.NPS.42 |
Network Ports Security | azure | MEDIUM | Telnet (TCP:23) is exposed to small Public network | accurics.azure.NPS.249 |
Network Ports Security | azure | HIGH | CIFS / SMB (TCP:3020) is exposed to entire Public network | accurics.azure.NPS.39 |
Network Ports Security | azure | HIGH | NetBIOS Datagram Service (TCP:138) is exposed to entire Public network | accurics.azure.NPS.81 |
Network Ports Security | azure | MEDIUM | Mongo Web Portal (TCP:27018) is exposed to wide Private network | accurics.azure.NPS.208 |
Network Ports Security | azure | HIGH | PostgreSQL (UDP:5432) is exposed to entire Public network | accurics.azure.NPS.97 |
Network Ports Security | azure | HIGH | NetBIOS Name Service (UDP:137) is exposed to wide Public network | accurics.azure.NPS.78 |
Network Ports Security | azure | MEDIUM | Memcached SSL (TCP:11215) is exposed to small Public network | accurics.azure.NPS.199 |
Network Ports Security | azure | MEDIUM | Cassandra (TCP:7001) is exposed to wide Private network | accurics.azure.NPS.176 |
Network Ports Security | azure | MEDIUM | Memcached SSL (TCP:11214) is exposed to wide Private network | accurics.azure.NPS.198 |
Network Ports Security | azure | MEDIUM | Cassandra OpsCenter (TCP:61621) is exposed to small Public network | accurics.azure.NPS.177 |
Network Ports Security | azure | HIGH | PostgreSQL (UDP:5432) is exposed to wide Public network | accurics.azure.NPS.96 |
Network Ports Security | azure | HIGH | NetBIOS Name Service (UDP:137) is exposed to entire Public network | accurics.azure.NPS.79 |
Network Ports Security | azure | MEDIUM | MySQL (TCP:3306) is exposed to small Public network | accurics.azure.NPS.209 |
Network Ports Security | azure | HIGH | NetBIOS Datagram Service (TCP:138) is exposed to wide Public network | accurics.azure.NPS.80 |
Network Ports Security | azure | HIGH | CIFS / SMB (TCP:3020) is exposed to wide Public network | accurics.azure.NPS.38 |
Network Ports Security | azure | MEDIUM | SaltStack Master (TCP:4506) is exposed to wide Private network | accurics.azure.NPS.248 |
Network Ports Security | azure | HIGH | Cassandra OpsCenter (TCP:61621) is exposed to entire Public network | accurics.azure.NPS.43 |
Network Ports Security | azure | MEDIUM | Prevalent known internal port (TCP:3000) is exposed to small Public network | accurics.azure.NPS.233 |
Network Ports Security | azure | HIGH | MSSQL Admin (TCP:1434) is exposed to entire Public network | accurics.azure.NPS.55 |
Network Ports Security | azure | MEDIUM | Oracle DB SSL (UDP:2484) is exposed to small Public network | accurics.azure.NPS.225 |
Network Ports Security | azure | MEDIUM | VNC Listener (TCP:5500) is exposed to wide Private network | accurics.azure.NPS.252 |
Network Ports Security | azure | MEDIUM | MSSQL Debugger (TCP:135) is exposed to wide Private network | accurics.azure.NPS.194 |
Network Ports Security | azure | MEDIUM | Microsoft-DS (TCP:445) is exposed to small Public network | accurics.azure.NPS.205 |
Network Ports Security | azure | HIGH | MySQL (TCP:3306) is exposed to entire Public network | accurics.azure.NPS.75 |
Network Ports Security | azure | MEDIUM | NetBIOS Name Service (UDP:137) is exposed to small Public network | accurics.azure.NPS.213 |
Network Ports Security | azure | HIGH | Memcached SSL (TCP:11214) is exposed to entire Public network | accurics.azure.NPS.63 |
Network Ports Security | azure | MEDIUM | SQL Server Analysis (TCP:2383) is exposed to wide Private network | accurics.azure.NPS.244 |
Network Ports Security | azure | LOW | Oracle DB SSL (UDP:2484) is exposed to small Private network | accurics.azure.NPS.301 |
Network Ports Security | azure | MEDIUM | Hadoop Name Node (TCP:9000) is exposed to wide Private network | accurics.azure.NPS.182 |
Network Ports Security | azure | HIGH | VNC Listener (TCP:5500) is exposed to wide Public network | accurics.azure.NPS.116 |
Network Ports Security | azure | LOW | Memcached SSL (TCP:11214) is exposed to small Private network | accurics.azure.NPS.287 |
Network Ports Security | azure | LOW | Microsoft-DS (TCP:445) is exposed to small Private network | accurics.azure.NPS.291 |
Network Ports Security | azure | MEDIUM | PostgreSQL (TCP:5432) is exposed to small Public network | accurics.azure.NPS.229 |
Network Ports Security | azure | HIGH | MSSQL Debugger (TCP:135) is exposed to entire Public network | accurics.azure.NPS.59 |
Network Ports Security | azure | HIGH | Puppet Master (TCP:8140) is exposed to wide Public network | accurics.azure.NPS.100 |
azurerm_cosmosdb_account¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | azure | HIGH | Ensure to filter source Ips for Cosmos DB Account | accurics.azure.NS.32 |
Cloud Assets Management | azure | MEDIUM | Ensure that Cosmos DB Account has an associated tag | accurics.azure.CAM.162 |
azurerm_security_center_subscription_pricing¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Operational Efficiency | azure | MEDIUM | Ensure that standard pricing tiers are selected | accurics.azure.OPS.349 |
azurerm_sql_active_directory_administrator¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity and Access Management | azure | MEDIUM | Avoid using names like 'Admin' for an Azure SQL Server Active Directory Administrator account | accurics.azure.IAM.137 |
azurerm_container_registry¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | azure | MEDIUM | Ensure that admin user is disabled for Container Registry | accurics.azure.EKM.164 |
Azure Container Services | azure | HIGH | Ensure Container Registry has locks | accurics.azure.AKS.3 |
azurerm_virtual_network¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | azure | MEDIUM | Ensure that Azure Virtual Network subnet is configured with a Network Security Group | accurics.azure.NS.161 |
azurerm_role_assignment¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity and Access Management | azure | HIGH | Ensure that there are no guest users | accurics.azure.IAM.388 |
azurerm_application_gateway¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | azure | MEDIUM | Ensure Azure Application Gateway Web application firewall (WAF) is enabled | accurics.azure.NS.147 |
azurerm_postgresql_server¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | azure | HIGH | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | accurics.azure.EKM.1 |
Backup and Disaster Recovery | azure | HIGH | Ensure that Geo Redundant Backups is enabled on PostgreSQL | accurics.azure.BDR.163 |
google_container_node_pool¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Operational Efficiency | gcp | HIGH | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters. | accurics.gcp.OPS.101 |
Operational Efficiency | gcp | HIGH | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image. | accurics.gcp.OPS.114 |
Operational Efficiency | gcp | MEDIUM | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters. | accurics.gcp.OPS.144 |
github_repository¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity & Access Management | gcp | MEDIUM | Repository is Not Private. | accurics.gcp.IAM.145 |
google_bigquery_dataset¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity & Access Management | gcp | HIGH | BigQuery datasets may be anonymously or publicly accessible. | accurics.gcp.IAM.106 |
google_compute_project_metadata¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Access Control | gcp | HIGH | Ensure oslogin is enabled for a Project | accurics.gcp.IAM.127 |
google_compute_subnetwork¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Logging | gcp | MEDIUM | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network. | accurics.gcp.LOG.118 |
google_project_iam_audit_config¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Logging | gcp | HIGH | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project. | accurics.gcp.LOG.010 |
google_sql_database_instance¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Backup & Disaster Recovery | gcp | HIGH | Ensure all Cloud SQL database instance have backup configuration enabled. | accurics.gcp.BDR.105 |
Network Security | gcp | HIGH | Ensure that Cloud SQL database Instances are not open to the world. | accurics.gcp.NS.102 |
Encryption & Key Management | gcp | HIGH | Ensure that Cloud SQL database instance requires all incoming connections to use SSL | accurics.gcp.EKM.141 |
google_compute_instance¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | gcp | MEDIUM | Ensure IP forwarding is not enabled on Instances. | accurics.gcp.NS.130 |
Network Security | gcp | MEDIUM | Ensure 'Block Project-wide SSH keys' is enabled for VM instances. | accurics.gcp.NS.126 |
Encryption & Key Management | gcp | MEDIUM | VM disks attached to a compute instance should be encrypted with Customer Supplied Encryption Keys (CSEK) . | accurics.gcp.EKM.132 |
Identity & Access Management | gcp | MEDIUM | Instances may have been configured to use the default service account with full access to all Cloud APIs | accurics.gcp.IAM.124 |
Network Security | gcp | MEDIUM | Ensure 'Enable connecting to serial ports' is not enabled for VM instances. | accurics.gcp.NS.129 |
Network Security | gcp | MEDIUM | Ensure Compute instances are launched with Shielded VM enabled. | accurics.gcp.NS.133 |
Identity & Access Management | gcp | MEDIUM | Ensure that no instance in the project overrides the project setting for enabling OSLogin | accurics.gcp.IAM.128 |
Access Control | gcp | HIGH | Instances may have been configured to use the default service account with full access to all Cloud APIs | accurics.gcp.NS.125 |
google_storage_bucket_iam_binding¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity & Access Management | gcp | MEDIUM | Ensure that Cloud Storage bucket is not anonymously or publicly accessible. | accurics.gcp.IAM.121 |
google_container_cluster¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Monitoring | gcp | HIGH | Ensure Stackdriver Monitoring is enabled on Kubernetes Engine Clusters. | accurics.gcp.MON.143 |
Network Security | gcp | HIGH | Ensure Kubernetes Cluster is created with Private cluster enabled. | accurics.gcp.NS.117 |
Operational Efficiency | gcp | HIGH | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters. | accurics.gcp.OPS.116 |
Identity & Access Management | gcp | HIGH | Ensure GKE basic auth is disabled. | accurics.gcp.IAM.110 |
Network Security | gcp | HIGH | Ensure Master Authentication is set to enabled on Kubernetes Engine Clusters. | accurics.gcp.NS.112 |
Operational Efficiency | gcp | HIGH | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | accurics.gcp.OPS.115 |
Network Security | gcp | HIGH | Ensure GKE Control Plane is not public. | accurics.gcp.NS.109 |
Identity & Access Management | gcp | HIGH | Ensure Kubernetes Cluster is created with Client Certificate disabled. | accurics.gcp.IAM.104 |
Operational Efficiency | gcp | HIGH | Ensure Kubernetes Clusters are configured with Labels. | accurics.gcp.OPS.113 |
Identity & Access Management | gcp | HIGH | Ensure Legacy Authorization is set to disabled on Kubernetes Engine Clusters. | accurics.gcp.IAM.142 |
Logging | gcp | HIGH | Ensure Stackdriver Logging is enabled on Kubernetes Engine Clusters. | accurics.gcp.LOG.100 |
Network Security | gcp | HIGH | Ensure Network policy is enabled on Kubernetes Engine Clusters. | accurics.gcp.NS.103 |
google_project¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | gcp | MEDIUM | Ensure that the default network does not exist in a project. | accurics.gcp.NS.119 |
google_compute_firewall¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | gcp | MEDIUM | Ensure that SSH access is restricted from the internet | accurics.gcp.NS.149 |
Network Security | gcp | MEDIUM | Ensure that SSH access is restricted from the internet | accurics.gcp.NS.148 |
Network Security | gcp | MEDIUM | Ensure Google compute firewall ingress does not allow unrestricted rdp access. | accurics.gcp.NS.123 |
google_dns_managed_zone¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption & Key Management | gcp | HIGH | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC. | accurics.gcp.EKM.108 |
Network Security | gcp | HIGH | Ensure that DNSSEC is enabled for Cloud DNS. | accurics.gcp.NS.107 |
google_compute_disk¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption & Key Management | gcp | MEDIUM | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) . | accurics.gcp.EKM.131 |
google_project_iam_member¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity & Access Management | gcp | MEDIUM | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level. | accurics.gcp.IAM.137 |
Identity & Access Management | gcp | MEDIUM | Ensure that Service Account has no Admin privileges. | accurics.gcp.IAM.138 |
google_storage_bucket_iam_member¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity & Access Management | gcp | HIGH | Ensure that Cloud Storage bucket is not anonymously or publicly Accessible. | accurics.gcp.IAM.120 |
google_compute_ssl_policy¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption & Key Management | gcp | MEDIUM | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites. | accurics.gcp.EKM.134 |
google_storage_bucket¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Logging | gcp | HIGH | Ensure that logging is enabled for Cloud storage buckets. | accurics.gcp.LOG.147 |
Logging | gcp | HIGH | Ensure that object versioning is enabled on log-buckets. | accurics.gcp.LOG.146 |
Identity & Access Management | gcp | MEDIUM | Ensure that Cloud Storage buckets have uniform bucket-level access enabled. | accurics.gcp.IAM.122 |
google_kms_crypto_key¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption & Key Management | gcp | MEDIUM | Ensure Encryption keys are rotated within a period of 90 days. | accurics.gcp.EKM.139 |
Encryption & Key Management | gcp | HIGH | Ensure Encryption keys are rotated within a period of 365 days. | accurics.gcp.EKM.007 |
google_project_iam_binding¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity & Access Management | gcp | MEDIUM | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level. | accurics.gcp.IAM.136 |
Identity and Access Management | gcp | HIGH | Ensure that corporate login credentials are used instead of Gmail accounts. | accurics.gcp.IAM.150 |
github_repository¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity & Access Management | github | MEDIUM | Repository is Not Private. | accurics.github.IAM.1 |
github_repository_webhook¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | github | MEDIUM | Insecure SSL is used for repository webhook. | accurics.github.EKM.2 |
github_organization_webhook¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | github | MEDIUM | Insecure SSL is used for organization webhook. | accurics.github.EKM.1 |
kubernetes_service¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | json | MEDIUM | Restrict the use of externalIPs | AC-K8-NS-SE-M-0188 |
Network Security | json | MEDIUM | Ensure that the Tiller Service (Helm v2) is deleted | AC-K8-NS-SE-M-0185 |
Network Security | json | LOW | Nodeport service can expose the worker nodes as they have public interface | AC-K8-NS-SV-L-0132 |
Network Security | json | MEDIUM | Vulnerable to CVE-2020-8554 | AC-K8-NS-SE-M-0188 |
kubernetes_ingress¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | json | HIGH | TLS disabled can affect the confidentiality of the data in transit | AC-K8-NS-IN-H-0020 |
kubernetes_pod¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Network Security | json | MEDIUM | Containers Should Not Share the Host Network Namespace | AC-K8-NS-PO-M-0164 |
Network Security | json | MEDIUM | Image without digest affects the integrity principle of image security | AC-K8-NS-PO-M-0133 |
Identity and Access Management | json | HIGH | Minimize Admission of Root Containers | AC-K8-IA-PO-H-0168 |
Operational Efficiency | json | Medium | CPU Request Not Set in config file. | AC-K8-OE-PK-M-0155 |
Operational Efficiency | json | MEDIUM | Default Namespace Should Not be Used | AC-K8-OE-PO-M-0166 |
Network Security | json | HIGH | Do Not Use CAP_SYS_ADMIN Linux Capability | AC-K8-NS-PO-H-0170 |
Operational Efficiency | json | Medium | Memory Limits Not Set in config file. | AC-K8-OE-PK-M-0158 |
Data Security | json | MEDIUM | Ensure That Tiller (Helm V2) Is Not Deployed | AC-K8-DS-PO-M-0177 |
Operational Efficiency | json | LOW | No readiness probe will affect automatic recovery in case of unexpected errors | AC-K8-OE-PO-L-0130 |
Identity and Access Management | json | MEDIUM | Default seccomp profile not enabled will make the container to make non-essential system calls | AC-K8-IA-PO-M-0141 |
Identity and Access Management | json | MEDIUM | Container images with readOnlyRootFileSystem set as false mounts the container root file system with write permissions | AC-K8-IA-PO-M-0140 |
Network Security | json | HIGH | Prefer using secrets as files over secrets as environment variables | AC-K8-NS-PO-H-0117 |
Network Security | json | MEDIUM | Containers Should Not Share Host IPC Namespace | AC-K8-NS-PO-M-0163 |
Network Security | json | MEDIUM | Apply Security Context to Your Pods and Containers | AC-K8-NS-PO-M-0122 |
Data Security | json | MEDIUM | Ensure Kubernetes Dashboard Is Not Deployed | AC-K8-DS-PO-M-0176 |
Identity and Access Management | json | HIGH | Allowing hostPaths to mount to Pod arise the probability of getting access to the node's filesystem | AC-K8-IA-PO-H-0138 |
Identity and Access Management | json | MEDIUM | Some volume types mount the host file system paths to the pod or container, thus increasing the chance of escaping the container to access the host | AC-K8-IA-PO-M-0143 |
Identity and Access Management | json | HIGH | Allowing the pod to make system level calls provide access to host/node sensitive information | AC-K8-IA-PO-H-0137 |
Operational Efficiency | json | MEDIUM | AlwaysPullImages plugin is not set | AC-K8-OE-PK-M-0034 |
Identity and Access Management | json | MEDIUM | Unmasking the procMount will allow more information than is necessary to the program running in the containers spawned by k8s | AC-K8-IA-PO-M-0139 |
Identity and Access Management | json | MEDIUM | AppArmor profile not set to default or custom profile will make the container vulnerable to kernel level threats | AC-K8-IA-PO-M-0135 |
Identity and Access Management | json | MEDIUM | Containers Should Not Share Host Process ID Namespace | AC-K8-IA-PO-M-0162 |
Network Security | json | MEDIUM | Containers Should Run as a High UID to Avoid Host Conflict | AC-K8-NS-PO-M-0182 |
Identity and Access Management | json | MEDIUM | Minimize the admission of containers with the NET_RAW capability | AC-K8-IA-PS-M-0112 |
Operational Efficiency | json | LOW | No liveness probe will ensure there is no recovery in case of unexpected errors | AC-K8-OE-PO-L-0129 |
Operational Efficiency | json | LOW | No tag or container image with :Latest tag makes difficult to rollback and track | AC-K8-OE-PO-L-0134 |
Operational Efficiency | json | Medium | Memory Request Not Set in config file. | AC-K8-OE-PK-M-0157 |
Cloud Assets Management | json | HIGH | Containers Should Not Run with AllowPrivilegeEscalation | AC-K8-CA-PO-H-0165 |
Identity and Access Management | json | HIGH | Minimize the admission of privileged containers | AC-K8-IA-PO-H-0106 |
Operational Efficiency | json | Medium | CPU Limits Not Set in config file. | AC-K8-OE-PK-M-0156 |
Network Security | json | MEDIUM | Restrict Mounting Docker Socket in a Container | AC-K8-NS-PO-M-0171 |
Identity and Access Management | json | MEDIUM | Ensure that Service Account Tokens are only mounted where necessary | AC-K8-IA-PO-M-0105 |
Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.120 |
Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.116 |
Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.117 |
Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.106 |
Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.110 |
Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.111 |
Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.107 |
Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.112 |
Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.108 |
Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.109 |
Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.105 |
Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.113 |
Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.118 |
Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.114 |
Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.115 |
Identity and Access Management | kubernetes | MEDIUM | Container does not have resource limitations defined | accurics.kubernetes.IAM.119 |
Data Security | json | MEDIUM | Vulnerable to CVE-2020-8555 (affected version of kube-controller-manager: v1.18.0, v1.17.0 - v1.17.4, v1.16.0 - v1.16.8,< v1.15.11 | AC-K8-DS-PO-M-0143 |
Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.64 |
Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.72 |
Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.68 |
Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.69 |
Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.65 |
Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.58 |
Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.62 |
Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.63 |
Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.59 |
Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.60 |
Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.61 |
Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.57 |
Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.70 |
Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.66 |
Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.67 |
Encryption and Key Management | kubernetes | HIGH | Container uses secrets in environment variables | accurics.kubernetes.EKM.71 |
Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.81 |
Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.78 |
Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.74 |
Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.75 |
Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.79 |
Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.80 |
Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.87 |
Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.86 |
Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.73 |
Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.85 |
Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.84 |
Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.88 |
Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.83 |
Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.76 |
Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.77 |
Identity and Access Management | kubernetes | MEDIUM | Pod has extra capabilities allowed | accurics.kubernetes.IAM.82 |
kubernetes_role¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity and Access Management | json | HIGH | Ensure that default service accounts are not actively used | AC-K8-IA-RO-H-0104 |
kubernetes_namespace¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Operational Efficiency | kubernetes | LOW | The default namespace should not be used | accurics.kubernetes.OPS.462 |
Operational Efficiency | kubernetes | LOW | The default namespace should not be used | accurics.kubernetes.OPS.460 |
Operational Efficiency | kubernetes | LOW | The default namespace should not be used | accurics.kubernetes.OPS.461 |
Operational Efficiency | json | LOW | No owner for namespace affects the operations | AC-K8-OE-NS-L-0128 |
github_repository¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Identity & Access Management | github | MEDIUM | Repository is Not Private. | accurics.github.IAM.1 |
github_repository_webhook¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | github | MEDIUM | Insecure SSL is used for repository webhook. | accurics.github.EKM.2 |
github_organization_webhook¶
Category | Resource | Severity | Description | Reference ID |
---|---|---|---|---|
Encryption and Key Management | github | MEDIUM | Insecure SSL is used for organization webhook. | accurics.github.EKM.1 |