You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Looks like the following queries trying to find the same issues in different platforms but do not share the same metadata
Can you please approve/deny the assumption?
Different Severity & Category
Automatic Minor Upgrades Disabled
[
{
"id": "3b6d777b-76e3-4133-80a3-0d6f667ade7f",
"queryName": "Automatic Minor Upgrades Disabled",
"severity": "HIGH",
"category": "Encryption",
"descriptionText": "RDS Instance Auto Minor Version Upgrade feature in Aws Db Instance must be true",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#auto_minor_version_upgrade",
"platform": "Terraform",
"descriptionID": "240cddcc",
"cloudProvider": "aws"
},
{
"id": "f0104061-8bfc-4b45-8a7d-630eb502f281",
"queryName": "Automatic Minor Upgrades Disabled",
"severity": "MEDIUM",
"category": "Best Practices",
"descriptionText": "AWS RDS should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.",
"descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html",
"platform": "CloudFormation",
"descriptionID": "e2908402",
"cloudProvider": "aws"
}
]
SNS Topic is Publicly Accessible For Subscription
[
{
"id": "b26d2b7e-60f6-413d-a3a1-a57db24aa2b3",
"queryName": "SNS Topic is Publicly Accessible For Subscription",
"severity": "MEDIUM",
"category": "Access Control",
"descriptionText": "This query checks if SNS Topic is Accessible For Subscription",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic",
"platform": "Terraform",
"descriptionID": "52e85de5",
"cloudProvider": "aws"
},
{
"id": "ae53ce91-42b5-46bf-a84f-9a13366a4f13",
"queryName": "SNS Topic is Publicly Accessible For Subscription",
"severity": "LOW",
"category": "Observability",
"descriptionText": "Ensure appropriate subscribers to each SNS topic",
"descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html#cfn-sns-topic-subscription",
"platform": "CloudFormation",
"descriptionID": "93100b84",
"cloudProvider": "aws"
}
]
EC2 Instance Has Public IP
[
{
"id": "5a2486aa-facf-477d-a5c1-b010789459ce",
"queryName": "EC2 Instance Has Public IP",
"severity": "HIGH",
"category": "Networking and Firewall",
"descriptionText": "EC2 Instance should not have a public IP address.",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#associate_public_ip_address",
"platform": "Terraform",
"descriptionID": "c6f1d1f4",
"cloudProvider": "aws"
},
{
"id": "b3de4e4c-14be-4159-b99d-9ad194365e4c",
"queryName": "EC2 Instance Has Public IP",
"severity": "MEDIUM",
"category": "Insecure Configurations",
"descriptionText": "EC2 Subnet should not have MapPublicIpOnLaunch set to true",
"descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html#cfn-ec2-subnet-mappubliciponlaunch",
"platform": "CloudFormation",
"descriptionID": "22e3d598",
"cloudProvider": "aws"
}
]
SQS With SSE Disabled
[
{
"id": "6e8849c1-3aa7-40e3-9063-b85ee300f29f",
"queryName": "SQS With SSE Disabled",
"severity": "HIGH",
"category": "Insecure Configurations",
"descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue",
"platform": "Terraform",
"descriptionID": "e478b54b",
"cloudProvider": "aws"
},
{
"id": "12726829-93ed-4d51-9cbe-13423f4299e1",
"queryName": "SQS with SSE disabled",
"severity": "MEDIUM",
"category": "Secret Management",
"descriptionText": "AWS SQS Queue should have a KMS Master Key defined",
"descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-sqs-queue-kmsmasterkeyid",
"platform": "CloudFormation",
"descriptionID": "7c3c1b44",
"cloudProvider": "aws"
}
]
Shared Host IPC Namespace
[
{
"id": "e94d3121-c2d1-4e34-a295-139bfeb73ea3",
"queryName": "Shared Host IPC Namespace",
"severity": "HIGH",
"category": "Insecure Configurations",
"descriptionText": "Container should not share the host IPC namespace",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_ipc",
"platform": "Terraform",
"descriptionID": "e76243f6"
},
{
"id": "cd290efd-6c82-4e9d-a698-be12ae31d536",
"queryName": "Shared Host IPC Namespace",
"severity": "HIGH",
"category": "Insecure Configurations",
"descriptionText": "Container should not share the host IPC namespace",
"descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/",
"platform": "Kubernetes",
"descriptionID": "1ef1fe71"
},
{
"id": "baa3890f-bed7-46f5-ab8f-1da8fc91c729",
"queryName": "Shared Host IPC Namespace",
"severity": "MEDIUM",
"category": "Resource Management",
"descriptionText": "The host IPC namespace should not be shared.",
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir",
"platform": "DockerCompose",
"descriptionID": "987dc2d7"
}
]
Shared Host Network Namespace
[
{
"id": "ac1564a3-c324-4747-9fa1-9dfc234dace0",
"queryName": "Shared Host Network Namespace",
"severity": "HIGH",
"category": "Insecure Configurations",
"descriptionText": "Container should not share the host network namespace",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_network",
"platform": "Terraform",
"descriptionID": "bf155ca7"
},
{
"id": "6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a",
"queryName": "Shared Host Network Namespace",
"severity": "HIGH",
"category": "Insecure Configurations",
"descriptionText": "Container should not share the host network namespace",
"descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/",
"platform": "Kubernetes",
"descriptionID": "50e5de80"
},
{
"id": "071a71ff-f868-47a4-ac0b-3c59e4ab5443",
"queryName": "Shared Host Network Namespace",
"severity": "MEDIUM",
"category": "Networking and Firewall",
"descriptionText": "Container should not share the host network namespace",
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#network_mode",
"platform": "DockerCompose",
"descriptionID": "25acba10"
}
]
Not Limited Capabilities For Pod Security Policy
[
{
"id": "2acb555f-f4ad-4b1b-b984-84e6588f4b05",
"queryName": "Not Limited Capabilities For Pod Security Policy",
"severity": "HIGH",
"category": "Insecure Configurations",
"descriptionText": "Limit capabilities for a Pod Security Policy",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities",
"platform": "Terraform",
"descriptionID": "c42b1890"
},
{
"id": "caa93370-791f-4fc6-814b-ba6ce0cb4032",
"queryName": "Not Limited Capabilities For Pod Security Policy",
"severity": "MEDIUM",
"category": "Build Process",
"descriptionText": "Limit capabilities for a Pod Security Policy",
"descriptionUrl": "https://kubernetes.io/docs/concepts/policy/pod-security-policy/",
"platform": "Kubernetes",
"descriptionID": "eaf6d4ba"
}
]
Different Severity
IAM Policy Grants Full Permissions
[
{
"id": "575a2155-6af1-4026-b1af-d5bc8fe2a904",
"queryName": "IAM Policy Grants Full Permissions",
"severity": "MEDIUM",
"category": "Access Control",
"descriptionText": "IAM policies allow all ('*') in a statement action",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy",
"platform": "Terraform",
"descriptionID": "f20cf2cf",
"cloudProvider": "aws"
},
{
"id": "f62aa827-4ade-4dc4-89e4-1433d384a368",
"queryName": "IAM Policy Grants Full Permissions",
"severity": "LOW",
"category": "Access Control",
"descriptionText": "Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.",
"descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html",
"platform": "CloudFormation",
"descriptionID": "d4158e76",
"cloudProvider": "aws"
}
]
[
{
"id": "4728cd65-a20c-49da-8b31-9c08b423e4db",
"queryName": "Unrestricted Security Group Ingress",
"severity": "HIGH",
"category": "Networking and Firewall",
"descriptionText": "Security groups allow ingress from 0.0.0.0:0",
"descriptionUrl": "https://www.terraform.io/docs/providers/aws/r/security_group.html",
"platform": "Terraform",
"descriptionID": "ce3ee5e0",
"cloudProvider": "aws"
},
{
"id": "4a1e6b34-1008-4e61-a5f2-1f7c276f8d14",
"queryName": "Unrestricted Security Group Ingress",
"severity": "MEDIUM",
"category": "Networking and Firewall",
"descriptionText": "AWS Security Group Ingress CIDR should not be open to the world",
"descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html",
"platform": "CloudFormation",
"descriptionID": "08256d31",
"cloudProvider": "aws"
}
]
Liveness Probe Is Not Defined
[
{
"id": "5b6d53dd-3ba3-4269-b4d7-f82e880e43c3",
"queryName": "Liveness Probe Is Not Defined",
"severity": "MEDIUM",
"category": "Availability",
"descriptionText": "Liveness Probe must be defined",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#liveness_probe",
"platform": "Terraform",
"descriptionID": "e5105a57"
},
{
"id": "ade74944-a674-4e00-859e-c6eab5bde441",
"queryName": "Liveness Probe Is Not Defined",
"severity": "INFO",
"category": "Availability",
"descriptionText": "In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it",
"descriptionUrl": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#when-should-you-use-a-liveness-probe",
"platform": "Kubernetes",
"descriptionID": "f724fa60"
}
]
Permissive Access to Create Pods
[
{
"id": "522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba",
"queryName": "Permissive Access to Create Pods",
"severity": "LOW",
"category": "Access Control",
"descriptionText": "The permission to create pods in a cluster should be restricted because it allows privilege escalation.",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule",
"platform": "Terraform",
"descriptionID": "cca5f42d"
},
{
"id": "592ad21d-ad9b-46c6-8d2d-fad09d62a942",
"queryName": "Permissive Access to Create Pods",
"severity": "MEDIUM",
"category": "Access Control",
"descriptionText": "The permission to create pods in a cluster should be restricted because it allows privilege escalation.",
"descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping",
"platform": "Kubernetes",
"descriptionID": "c78cb1a7"
}
]
Different Category
Trusted Microsoft Services Not Enabled
[
{
"id": "5400f379-a347-4bdd-a032-446465fdcc6f",
"queryName": "Trusted Microsoft Services Not Enabled",
"severity": "HIGH",
"category": "Insecure Configurations",
"descriptionText": "Trusted MIcrosoft Services are not enabled for Storage Account access",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass",
"platform": "Terraform",
"descriptionID": "2d2af667",
"cloudProvider": "azure"
},
{
"id": "e25b56cd-a4d6-498f-ab92-e6296a082097",
"queryName": "Trusted Microsoft Services Not Enabled",
"severity": "HIGH",
"category": "Networking and Firewall",
"descriptionText": "Trusted Microsoft Services should be enabled for Storage Account access",
"descriptionUrl": "https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json#networkruleset",
"platform": "AzureResourceManager",
"cloudProvider": "azure",
"descriptionID": "88ca11b3"
}
]
Project-wide SSH Keys Are Enabled In VM Instances
[
{
"id": "3e4d5ce6-3280-4027-8010-c26eeea1ec01",
"queryName": "Project-wide SSH Keys Are Enabled In VM Instances",
"severity": "MEDIUM",
"category": "Insecure Configurations",
"descriptionText": "VM Instance should block project-wide SSH keys",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance",
"platform": "Terraform",
"descriptionID": "4b9307cd",
"cloudProvider": "gcp"
},
{
"id": "6e2b1ec1-1eca-4eb7-9d4d-2882680b4811",
"queryName": "Project-wide SSH Keys Are Enabled In VM Instances",
"severity": "MEDIUM",
"category": "Secret Management",
"descriptionText": "VM Instance should block project-wide SSH keys",
"descriptionUrl": "https://cloud.google.com/compute/docs/reference/rest/v1/instances",
"platform": "GoogleDeploymentManager",
"descriptionID": "5e36c46d",
"cloudProvider": "gcp"
}
]
BigQuery Dataset Is Public
[
{
"id": "e576ce44-dd03-4022-a8c0-3906acca2ab4",
"queryName": "BigQuery Dataset Is Public",
"severity": "HIGH",
"category": "Access Control",
"descriptionText": "BigQuery dataset is anonymously or publicly accessible",
"descriptionUrl": "https://www.terraform.io/docs/providers/google/r/bigquery_dataset.html",
"platform": "Terraform",
"descriptionID": "cb5081a0",
"cloudProvider": "gcp"
},
{
"id": "83103dff-d57f-42a8-bd81-40abab64c1a7",
"queryName": "BigQuery Dataset Is Public",
"severity": "HIGH",
"category": "Insecure Configurations",
"descriptionText": "BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'",
"descriptionUrl": "https://cloud.google.com/bigquery/docs/reference/rest/v2/datasets",
"platform": "GoogleDeploymentManager",
"descriptionID": "6737ca8f",
"cloudProvider": "gcp"
}
]
Cloud Storage Anonymous or Publicly Accessible
[
{
"id": "a6cd52a1-3056-4910-96a5-894de9f3f3b3",
"queryName": "Cloud Storage Anonymous or Publicly Accessible",
"severity": "MEDIUM",
"category": "Access Control",
"descriptionText": "Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam#google_storage_bucket_iam_binding",
"platform": "Terraform",
"descriptionID": "fd990360",
"cloudProvider": "gcp"
},
{
"id": "63ae3638-a38c-4ff4-b616-6e1f72a31a6a",
"queryName": "Cloud Storage Anonymous or Publicly Accessible",
"severity": "MEDIUM",
"category": "Insecure Configurations",
"descriptionText": "Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'",
"descriptionUrl": "https://cloud.google.com/storage/docs/json_api/v1/buckets",
"platform": "GoogleDeploymentManager",
"descriptionID": "2146c969",
"cloudProvider": "gcp"
}
]
Public Lambda via API Gateway
[
{
"id": "3ef8696c-e4ae-4872-92c7-520bb44dfe77",
"queryName": "Public Lambda via API Gateway",
"severity": "MEDIUM",
"category": "Insecure Configurations",
"descriptionText": "Allowing to run lambda function using public API Gateway",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission",
"platform": "Terraform",
"descriptionID": "1f20399a",
"cloudProvider": "aws"
},
{
"id": "57b12981-3816-4c31-b190-a1e614361dd2",
"queryName": "Public Lambda via API Gateway",
"severity": "MEDIUM",
"category": "Access Control",
"descriptionText": "Allowing to run lambda function using public API Gateway",
"descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html",
"platform": "CloudFormation",
"descriptionID": "32ccc415",
"cloudProvider": "aws"
}
]
IAM Password Without Uppercase Letter
[
{
"id": "c5ff7bc9-d8ea-46dd-81cb-8286f3222249",
"queryName": "IAM Password Without Uppercase Letter",
"severity": "MEDIUM",
"category": "Insecure Configurations",
"descriptionText": "Check if IAM account password has at least one uppercase letter",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy",
"platform": "Terraform",
"descriptionID": "4e96ea27",
"cloudProvider": "aws"
},
{
"id": "445020f6-b69e-4484-847f-02d4b7768902",
"queryName": "IAM Password Without Uppercase Letter",
"severity": "MEDIUM",
"category": "Best Practices",
"descriptionText": "IAM user resource Login Profile Password should have at least one uppercase letter",
"descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user",
"platform": "CloudFormation",
"descriptionID": "9d55d1e4",
"cloudProvider": "aws"
}
]
CloudTrail Log Files Not Encrypted
[
{
"id": "5d9e3164-9265-470c-9a10-57ae454ac0c7",
"queryName": "CloudTrail Log Files Not Encrypted",
"severity": "HIGH",
"category": "Observability",
"descriptionText": "Logs delivered by CloudTrail should be encrypted using KMS",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#kms_key_id",
"platform": "Terraform",
"descriptionID": "ee8a4d47",
"cloudProvider": "aws"
},
{
"id": "050a9ba8-d1cb-4c61-a5e8-8805a70d3b85",
"queryName": "CloudTrail Log Files Not Encrypted",
"severity": "HIGH",
"category": "Encryption",
"descriptionText": "Logs delivered by CloudTrail should be encrypted using KMS",
"descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-kmskeyid",
"platform": "CloudFormation",
"descriptionID": "cdc07a23",
"cloudProvider": "aws"
}
]
IAM Password Without Lowercase Letter
[
{
"id": "bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9",
"queryName": "IAM Password Without Lowercase Letter",
"severity": "MEDIUM",
"category": "Insecure Configurations",
"descriptionText": "Check if IAM account password has at least one lowercase letter",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy",
"platform": "Terraform",
"descriptionID": "726cd448",
"cloudProvider": "aws",
},
{
"id": "f4cf35d6-da92-48de-ab70-57be2b2e6497",
"queryName": "IAM Password Without Lowercase Letter",
"severity": "MEDIUM",
"category": "Best Practices",
"descriptionText": "IAM user resource Login Profile Password should have lowercase letter",
"descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user",
"platform": "CloudFormation",
"descriptionID": "b98bf93c",
"cloudProvider": "aws"
}
]
The text was updated successfully, but these errors were encountered:
Hi @Lubetkin
Im happy to inform that we already created a PR #5292 that solves the issue that you informed.
Thank you so much for your input once again.
Looks like the following queries trying to find the same issues in different platforms but do not share the same metadata
Can you please approve/deny the assumption?
Different Severity & Category
Automatic Minor Upgrades Disabled
SNS Topic is Publicly Accessible For Subscription
EC2 Instance Has Public IP
SQS With SSE Disabled
Shared Host IPC Namespace
Shared Host Network Namespace
Not Limited Capabilities For Pod Security Policy
Different Severity
IAM Policy Grants Full Permissions
VPC FlowLogs Disabled
Unrestricted Security Group Ingress
Liveness Probe Is Not Defined
Permissive Access to Create Pods
Different Category
Trusted Microsoft Services Not Enabled
Project-wide SSH Keys Are Enabled In VM Instances
BigQuery Dataset Is Public
Cloud Storage Anonymous or Publicly Accessible
Public Lambda via API Gateway
IAM Password Without Uppercase Letter
CloudTrail Log Files Not Encrypted
IAM Password Without Lowercase Letter
The text was updated successfully, but these errors were encountered: