Improve AWS fundings

ScoutSuite/providers/aws/rules/findings/cloudformation-stack-with-role.json

@@ -1,6 +1,6 @@
 {
     "description": "Role passed to stack",
-    "rationale": "Passing a role to CloudFormation stacks may result in privilege escalation because IAM users with privileges within the CloudFormation scope implicitly inherit the stack's role's permissions. Consequently, it should be ensured that the IAM privileges assigned to the stack's role follow the principle of least privilege.",
+	"rationale": "<b>Description:</b><br><br>Passing a role to CloudFormation stacks may result in privilege escalation because IAM users with privileges within the CloudFormation scope implicitly inherit the stack's role's permissions. Consequently, it should be ensured that the IAM privileges assigned to the stack's role follow the principle of least privilege.",
     "path": "cloudformation.regions.id.stacks.id",
     "dashboard_name": "Stacks",
     "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/cloudtrail-duplicated-global-services-logging.json

@@ -1,6 +1,6 @@
 {
     "description": "Global service logging duplicated",
-    "rationale": "Global service logging is enabled in multiple Trails. While this does not jeopardize the security of the environment, duplicated entries in logs increase the difficulty to investate potential incidents.",
+	"rationale": "<b>Description:</b><br><br>Global service logging is enabled in multiple Trails. While this does not jeopardize the security of the environment, duplicated entries in logs increase the difficulty to investate potential incidents.",
     "path": "cloudtrail",
     "dashboard_name": "Configuration",
     "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/cloudtrail-no-data-logging.json

@@ -1,6 +1,6 @@
 {
     "description": "Data logging not configured",
-    "rationale": "CloudTrail data logging is not configured, which means that S3 access is not logged.",
+	"rationale": "<b>Description:</b><br><br>CloudTrail data logging is not configured, which means that S3 access is not logged.",
     "path": "cloudtrail",
     "dashboard_name": "Configuration",
     "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/cloudtrail-no-global-services-logging.json

@@ -1,6 +1,6 @@
 {
     "description": "Global services logging disabled",
-    "rationale": "API activity for global services such as IAM and STS is not logged. Investigation of incidents will be incomplete due to the lack of information.",
+	"rationale": "<b>Description:</b><br><br>API activity for global services such as IAM and STS is not logged. Investigation of incidents will be incomplete due to the lack of information.",
     "path": "cloudtrail",
     "dashboard_name": "Configuration",
     "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/cloudtrail-no-log-file-validation.json

@@ -1,6 +1,6 @@
 {
     "description": "Log file validation disabled",
-    "rationale": "The lack of log file validation prevents one from verifying the integrity of the log files.",
+	"rationale": "<b>Description:</b><br><br>The lack of log file validation prevents one from verifying the integrity of the log files.",
     "path": "cloudtrail.regions.id.trails.id",
     "dashboard_name": "Trails",
     "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/cloudtrail-no-logging.json

@@ -1,6 +1,6 @@
 {
     "description": "Logging disabled",
-    "rationale": "Logging is disabled for a given Trail. Depending on the configuration, logs for important API activity may be missing.",
+	"rationale": "<b>Description:</b><br><br>Logging is disabled for a given Trail. Depending on the configuration, logs for important API activity may be missing.",
     "path": "cloudtrail.regions.id.trails.id",
     "dashboard_name": "Trails",
     "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/cloudtrail-not-configured.json

@@ -1,6 +1,6 @@
 {
     "description": "Not configured",
-    "rationale": "CloudTrail is not configured, which means that API activity is not logged.",
+	"rationale": "<b>Description:</b><br><br>CloudTrail is not configured, which means that API activity is not logged.",
     "path": "cloudtrail.regions.id", 
     "dashboard_name": "Regions",
     "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/cloudwatch-alarm-without-actions.json

@@ -1,6 +1,6 @@
 {
     "description": "Alarm without action",
-    "rationale": "Each alarm should have at least one action",
+	"rationale": "<b>Description:</b><br><br>Each alarm should have at least one action",
     "path": "cloudwatch.regions.id.alarms.id",
     "dashboard_name": "Alarms",
     "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/config-recorder-not-configured.json

@@ -1,6 +1,6 @@
 {
     "description": "Not configured",
-    "rationale": "No Config recorders are configured, which means that changes in AWS resource configuration are not logged.",
+	"rationale": "<b>Description:</b><br><br>No Config recorders are configured, which means that changes in AWS resource configuration are not logged.",
     "path": "config.regions.id",
     "dashboard_name": "Regions",
     "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/ec2-ebs-volume-not-encrypted.json

@@ -1,6 +1,6 @@
 {
     "description": "EBS volume not encrypted",
-    "rationale": "Enabling encryption of EBS volumes ensures that data is encrypted both at-rest and in-transit (between an instance and its attached EBS storage).",
+	"rationale": "<b>Description:</b><br><br>Enabling encryption of EBS volumes ensures that data is encrypted both at-rest and in-transit (between an instance and its attached EBS storage).",
     "path": "ec2.regions.id.volumes.id",
     "dashboard_name": "Volumes",
     "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/ec2-instance-type.json

@@ -1,7 +1,7 @@
 {
     "description": "Use of _ARG_0_ instances",
     "key": "ec2-instance-type-_STRIPDOTS_(_ARG_0_)",
-    "rationale": "Policies dictacte EC2 instances of type _ARG_0_ should not be used in this environment",
+	"rationale": "<b>Description:</b><br><br>Policies dictacte EC2 instances of type _ARG_0_ should not be used in this environment",
     "path": "ec2.regions.id.vpcs.id.instances.id",
     "dashboard_name": "Instances",
     "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/ec2-instance-types.json

@@ -1,7 +1,7 @@
 {
     "description": "Use of _ARG_0_ instances",
     "key": "ec2-instance-type-_STRIPDOTS_(_ARG_0_)",
-    "rationale": "Policies dictacte _ARG_0_ EC2 instances should not be used in this environment",
+	"rationale": "<b>Description:</b><br><br>Policies dictacte _ARG_0_ EC2 instances should not be used in this environment",
     "path": "ec2.regions.id.vpcs.id.instances.id",
     "dashboard_name": "Instances",
     "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/ec2-instance-with-public-ip.json

@@ -1,6 +1,6 @@
 {
     "description": "Instance with a public IP",
-    "rationale": "It is good practice to maintain a list of known, publicly accessible instances and flag all other instances thay meet this criteria.",
+	"rationale": "<b>Description:</b><br><br>It is good practice to maintain a list of known, publicly accessible instances and flag all other instances thay meet this criteria.",
     "path": "ec2.regions.id.vpcs.id.instances.id.network_interfaces.id",
     "dashboard_name": "Network interfaces",
     "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/ec2-instance-with-user-data-secrets.json

@@ -1,6 +1,6 @@
 {
   "description": "Secrets in instance user data (potential)",
-  "rationale": "It was detected that the EC2 instance was configured with user data, which could potentially include secrets. Although user data can only be accessed from within the instance itself, the data is not protected by cryptographic methods. Anyone who can access the instance can view its metadata. It should therefore be ensured that sensitive data, such as passwords and SSH keys, are not stored as user data.",
+	"rationale": "<b>Description:</b><br><br>It was detected that the EC2 instance was configured with user data, which could potentially include secrets. Although user data can only be accessed from within the instance itself, the data is not protected by cryptographic methods. Anyone who can access the instance can view its metadata. It should therefore be ensured that sensitive data, such as passwords and SSH keys, are not stored as user data.",
   "path": "ec2.regions.id.vpcs.id.instances.id",
   "dashboard_name": "Instances",
   "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/ec2-unused-security-group.json

@@ -1,6 +1,6 @@
 {
     "description": "Unused Security Groups",
-    "rationale": " Non-default security groups were defined which were unused and may not be required. This being the case, their existence in the configuration increases the risk that they may be inappropriately assigned. The unused security groups should be reviewed and removed if no longer required.",
+	"rationale": "<b>Description:</b><br><br> Non-default security groups were defined which were unused and may not be required. This being the case, their existence in the configuration increases the risk that they may be inappropriately assigned. The unused security groups should be reviewed and removed if no longer required.",
     "path": "ec2.regions.id.vpcs.id.security_groups.id",
     "dashboard_name": "Security groups",
     "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/elb-no-access-logs.json

@@ -1,6 +1,6 @@
 {
     "description": "Lack of access logs",
-    "rationale": "Access logs enable traffic analysis and identification of security issues.",
+	"rationale": "<b>Description:</b><br><br>Access logs enable traffic analysis and identification of security issues.",
     "path": "elb.regions.id.vpcs.id.elbs.id.attributes.AccessLog.Enabled",
     "dashboard_name": "Load Balancer Attributes",
     "display_path": "elb.regions.id.vpcs.id.elbs.id",

ScoutSuite/providers/aws/rules/findings/elbv2-no-access-logs.json

@@ -1,6 +1,6 @@
 {
     "description": "Lack of access logs",
-    "rationale": "Access logs enable traffic analysis and identification of security issues.",
+	"rationale": "<b>Description:</b><br><br>Access logs enable traffic analysis and identification of security issues.",
     "path": "elbv2.regions.id.vpcs.id.lbs.id.attributes.id",
     "dashboard_name": "Load Balancer Attributes",
     "display_path": "elbv2.regions.id.vpcs.id.lbs.id",

ScoutSuite/providers/aws/rules/findings/elbv2-no-deletion-protection.json

@@ -1,6 +1,6 @@
 {
     "description": "Lack of deletion protection",
-    "rationale": "Enabling deletion protection on load balancers mitigates risks of accidental deletion.",
+	"rationale": "<b>Description:</b><br><br>Enabling deletion protection on load balancers mitigates risks of accidental deletion.",
     "path": "elbv2.regions.id.vpcs.id.lbs.id.attributes.id",
     "dashboard_name": "Load Balancer Attributes",
     "display_path": "elbv2.regions.id.vpcs.id.lbs.id",

ScoutSuite/providers/aws/rules/findings/elbv2-older-ssl-policy.json

@@ -1,6 +1,6 @@
 {
     "description": "Older SSL/TLS policy",
-    "rationale": "Use of AWS latest TLS policies is best practice.The recommended predefined security policies are: ELBSecurityPolicy-2016-08, ELBSecurityPolicy-FS-2018-06, ELBSecurityPolicy-TLS-1-1-2017-01, ELBSecurityPolicy-TLS-1-2-2017-01 and ELBSecurityPolicy-TLS-1-2-Ext-2018-06.",
+	"rationale": "<b>Description:</b><br><br>Use of AWS latest TLS policies is best practice.The recommended predefined security policies are: ELBSecurityPolicy-2016-08, ELBSecurityPolicy-FS-2018-06, ELBSecurityPolicy-TLS-1-1-2017-01, ELBSecurityPolicy-TLS-1-2-2017-01 and ELBSecurityPolicy-TLS-1-2-Ext-2018-06.",
     "path": "elbv2.regions.id.vpcs.id.lbs.id.listeners.id.SslPolicy",
     "dashboard_name": "Load Balancer Listeners",
     "display_path": "elbv2.regions.id.vpcs.id.lbs.id",

ScoutSuite/providers/aws/rules/findings/iam-assume-role-lacks-external-id-and-mfa.json

@@ -1,6 +1,6 @@
 {
     "description": "Cross-account AssumeRole policy lacks external ID and MFA",
-    "rationale": "When authorizing cross-account role assumption, an external ID or MFA should be required.",
+	"rationale": "<b>Description:</b><br><br>When authorizing cross-account role assumption, an external ID or MFA should be required.",
     "path": "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id",
     "display_path": "iam.roles.id",
     "dashboard_name": "Roles",

ScoutSuite/providers/aws/rules/findings/iam-assume-role-no-mfa.json

@@ -1,6 +1,6 @@
 {
     "description": "AssumeRole policy lacks MFA",
-    "rationale": "",
+	"rationale": "<b>Description:</b><br><br>",
     "path": "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id",
     "display_path": "iam.roles.id",
     "dashboard_name": "Roles",

ScoutSuite/providers/aws/rules/findings/iam-assume-role-policy-allows-all.json

@@ -1,6 +1,6 @@
 {
     "description": "AssumeRole policy allows all principals",
-    "rationale": "Setting the AssumeRole policy's principal attribute to AWS:* means that anyone is authorized to assume the role and access the AWS account.",
+	"rationale": "<b>Description:</b><br><br>Setting the AssumeRole policy's principal attribute to AWS:* means that anyone is authorized to assume the role and access the AWS account.",
     "path": "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id",
     "display_path": "iam.roles.id",
     "dashboard_name": "Roles",

ScoutSuite/providers/aws/rules/findings/iam-group-with-no-users.json

@@ -1,6 +1,6 @@
 {
     "description": "Group with no users",
-    "rationale": "Groups with no users should be reviewed and deleted if not necessary.",
+	"rationale": "<b>Description:</b><br><br>Groups with no users should be reviewed and deleted if not necessary.",
     "path": "iam.groups.id",
     "dashboard_name": "groups",
     "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/iam-inline-policy-allows-NotActions.json

@@ -1,7 +1,7 @@
 {
     "arg_names": [ "IAM entity type" ],
     "description": "Inline _ARG_0_ policy allows NotActions",
-    "rationale": "The combination of \"effect = allow\" and \"NotAction\" results in the policy allowing every action except those listed in the statement. The target policy does not follow the principle of least privilege because thousands of actions exist in AWS and because this policy automatically authorizes users to perform new actions created, regardless of their nature.",
+	"rationale": "<b>Description:</b><br><br>The combination of \"effect = allow\" and \"NotAction\" results in the policy allowing every action except those listed in the statement. The target policy does not follow the principle of least privilege because thousands of actions exist in AWS and because this policy automatically authorizes users to perform new actions created, regardless of their nature.",
     "key": "iam-inline-_ARG_0_-policy-allows-NotActions",
     "path": "iam._ARG_0_s.id.inline_policies.id.PolicyDocument.Statement.id",
     "display_path": "iam._ARG_0_s.id",

ScoutSuite/providers/aws/rules/findings/iam-managed-policy-allows-NotActions.json

@@ -1,6 +1,6 @@
 {
     "description": "Managed policy allows NotActions",
-    "rationale": "The combination of \"effect = allow\" and \"NotAction\" results in the policy allowing every action except those listed in the statement. The target policy does not follow the principle of least privilege because thousands of actions exist in AWS and because this policy automatically authorizes users to perform new actions created, regardless of their nature.",
+	"rationale": "<b>Description:</b><br><br>The combination of \"effect = allow\" and \"NotAction\" results in the policy allowing every action except those listed in the statement. The target policy does not follow the principle of least privilege because thousands of actions exist in AWS and because this policy automatically authorizes users to perform new actions created, regardless of their nature.",
     "path": "iam.policies.id.PolicyDocument.Statement.id",
     "display_path": "iam.policies.id",
     "dashboard_name": "Policies",

ScoutSuite/providers/aws/rules/findings/iam-managed-policy-no-attachments.json

@@ -1,6 +1,6 @@
 {
     "description": "Managed policy not attached to any entity",
-  "rationale": "Customer Managed policies should be reviewed and deleted if not necessary.",
+	"rationale": "<b>Description:</b><br><br>Customer Managed policies should be reviewed and deleted if not necessary.",
     "path": "iam.policies.id",
     "display_path": "iam.policies.id",
     "dashboard_name": "Policies",

ScoutSuite/providers/aws/rules/findings/iam-root-account-with-active-certs.json

@@ -1,6 +1,6 @@
 {
     "description": "Root account has active X.509 certs",
-    "rationale": "Root account X.509 certificates should be deleted as they may be used to make SOAP-protocol requests in the context of the root account.",
+	"rationale": "<b>Description:</b><br><br>Root account X.509 certificates should be deleted as they may be used to make SOAP-protocol requests in the context of the root account.",
     "path": "iam.credential_reports.<root_account>",
     "dashboard_name": "Root account",
     "conditions": [ "or",

ScoutSuite/providers/aws/rules/findings/iam-root-account-with-active-keys.json

@@ -1,6 +1,6 @@
 {
     "description": "Root account has active keys",
-    "rationale": "AWS root account access keys should be deleted as they provide unrestricted access to the AWS Account.",
+	"rationale": "<b>Description:</b><br><br>AWS root account access keys should be deleted as they provide unrestricted access to the AWS Account.",
     "path": "iam.credential_reports.<root_account>",
     "dashboard_name": "Root account",
     "conditions": [ "or",

ScoutSuite/providers/aws/rules/findings/iam-user-no-key-rotation.json

@@ -1,7 +1,7 @@
 {
     "arg_names": [ "Key status", "Rotation period" ],
     "description": "Lack of key rotation (_ARG_0_)",
-    "rationale": "In case of access key compromise, the lack of credential rotation increases the period during which an attacker has access to the AWS account",
+	"rationale": "<b>Description:</b><br><br>In case of access key compromise, the lack of credential rotation increases the period during which an attacker has access to the AWS account",
     "key": "iam-user-no-_ARG_0_-key-rotation.json",
     "path": "iam.users.id.AccessKeys.id",
     "dashboard_name": "Access keys",

ScoutSuite/providers/aws/rules/findings/rds-instance-single-az.json

@@ -1,7 +1,7 @@
 {
     "description": "Single AZ RDS instance",
     "path": "rds.regions.id.vpcs.id.instances.id",
-    "rationale": "In case of failure, with a single-AZ deployment configuration, should an availability zone specific database failure occur, Amazon RDS can not automatically fail over to the standby availability zone.",
+	"rationale": "<b>Description:</b><br><br>In case of failure, with a single-AZ deployment configuration, should an availability zone specific database failure occur, Amazon RDS can not automatically fail over to the standby availability zone.",
     "dashboard_name": "Instances",
     "conditions": [ "and",
         [ "rds.regions.id.vpcs.id.instances.id.MultiAZ", "false", "" ]

ScoutSuite/providers/aws/rules/findings/s3-bucket-allowing-cleartext.json

@@ -1,7 +1,7 @@
 {
   "dashboard_name": "Buckets",
   "description": "Bucket allowing clear text (HTTP) communication",
-  "rationale": "If HTTPS is not enforced on the bucket policy, communication between clients and S3 buckets can use unencrypted HTTP. As a result, sensitive information could be transmitted in clear text over the network|Internet.",
+	"rationale": "<b>Description:</b><br><br>If HTTPS is not enforced on the bucket policy, communication between clients and S3 buckets can use unencrypted HTTP. As a result, sensitive information could be transmitted in clear text over the network|Internet.",
   "path": "s3.buckets.id",
   "conditions": [ "and",
     [ "s3.buckets.id.secure_transport_enabled", "false", "" ]

ScoutSuite/providers/aws/rules/findings/s3-bucket-no-mfa-delete.json

@@ -1,7 +1,7 @@
 {
     "dashboard_name": "Buckets",
     "description": "Bucket without MFA delete",
-    "rationale": "Enable MFA delete to help protect objects from accidental or unauthorized deletion. It should be noted that MFA Delete can only be configured on buckets that have versioning enabled.",
+	"rationale": "<b>Description:</b><br><br>Enable MFA delete to help protect objects from accidental or unauthorized deletion. It should be noted that MFA Delete can only be configured on buckets that have versioning enabled.",
     "path": "s3.buckets.id",
     "conditions": [ "and",
         [ "s3.buckets.id.version_mfa_delete_enabled", "false", "" ]

ScoutSuite/providers/aws/rules/findings/s3-bucket-no-versioning.json

@@ -1,7 +1,7 @@
 {
     "dashboard_name": "Buckets",
     "description": "Bucket without versioning",
-    "rationale": "Versioning is a means of keeping multiple variants of an object in the same bucket. With versioning, you can easily recover from both unintended user actions and application failures.",
+	"rationale": "<b>Description:</b><br><br>Versioning is a means of keeping multiple variants of an object in the same bucket. With versioning, you can easily recover from both unintended user actions and application failures.",
     "path": "s3.buckets.id",
     "conditions": [ "and",
         [ "s3.buckets.id.versioning_status_enabled", "false", "" ]

ScoutSuite/providers/aws/rules/findings/ses-identity-dkim-not-enabled.json

@@ -1,6 +1,6 @@
 {
     "description": "DKIM not enabled",
-    "rationale": "DKIM signing is not enabled for emails sent from the identity.",
+	"rationale": "<b>Description:</b><br><br>DKIM signing is not enabled for emails sent from the identity.",
     "path": "ses.regions.id.identities.id",
     "dashboard_name": "Identities",
     "conditions": [ "and",

ScoutSuite/providers/aws/rules/findings/ses-identity-dkim-not-verified.json

@@ -1,6 +1,6 @@
 {
     "description": "DKIM not verified",
-    "rationale": "Amazon SES has not verified the DKIM DNS records (tokens) published in the domain name's DNS.",
+	"rationale": "<b>Description:</b><br><br>Amazon SES has not verified the DKIM DNS records (tokens) published in the domain name's DNS.",
     "path": "ses.regions.id.identities.id",
     "dashboard_name": "Identities",
     "conditions": [ "and",