-
Notifications
You must be signed in to change notification settings - Fork 100
/
intermediate_checks.txt
172 lines (168 loc) · 20.9 KB
/
intermediate_checks.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
_
_ __ _ __ _____ _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V V /| | __/ |
| .__/|_| \___/ \_/\_/ |_|\___|_|v4.5.0
|_| the handy multi-cloud security tool
Date: 2024-11-05 13:45:27
[acm_certificates_expiration_check] Check if ACM Certificates are about to expire in specific days or less - acm [high]
[acm_certificates_with_secure_key_algorithms] Check if ACM Certificates use a secure key algorithm - acm [high]
[autoscaling_find_secrets_ec2_launch_configuration] [DEPRECATED] Find secrets in EC2 Auto Scaling Launch Configuration - autoscaling [critical]
[autoscaling_group_launch_configuration_no_public_ip] Check if Amazon EC2 instances launched using Auto Scaling group launch configurations have Public IP addresses. - autoscaling [high]
[autoscaling_group_launch_configuration_requires_imdsv2] Check if Auto Scaling group launch configurations require Instance Metadata Service Version 2 (IMDSv2). - autoscaling [high]
[awslambda_function_no_secrets_in_code] Find secrets in Lambda functions code. - lambda [critical]
[awslambda_function_no_secrets_in_variables] Find secrets in Lambda functions variables. - lambda [critical]
[awslambda_function_not_publicly_accessible] Check if Lambda functions have resource-based policy set as Public. - lambda [critical]
[awslambda_function_url_public] Check Public Lambda Function URL. - lambda [high]
[bedrock_agent_guardrail_enabled] Ensure that Guardrails are enabled for Amazon Bedrock agent sessions. - bedrock [high]
[bedrock_guardrail_prompt_attack_filter_enabled] Configure Prompt Attack Filter with the highest strength for Amazon Bedrock Guardrails. - bedrock [high]
[bedrock_guardrail_sensitive_information_filter_enabled] Configure Sensitive Information Filters for Amazon Bedrock Guardrails. - bedrock [high]
[bedrock_model_invocation_logs_encryption_enabled] Ensure that Amazon Bedrock model invocation logs are encrypted with KMS. - bedrock [high]
[cloudformation_stack_outputs_find_secrets] Find secrets in CloudFormation outputs - cloudformation [critical]
[cloudfront_distributions_default_root_object] Check if CloudFront distributions have a default root object. - cloudfront [high]
[cloudfront_distributions_s3_origin_non_existent_bucket] CloudFront distributions should not point to non-existent S3 origins without static website hosting. - cloudfront [high]
[cloudtrail_logs_s3_bucket_is_not_publicly_accessible] Ensure the S3 bucket CloudTrail logs is not publicly accessible - cloudtrail [critical]
[cloudtrail_multi_region_enabled] Ensure CloudTrail is enabled in all regions - cloudtrail [high]
[cloudtrail_threat_detection_enumeration] Ensure there are no potential enumeration threats in CloudTrail - cloudtrail [critical]
[cloudtrail_threat_detection_llm_jacking] Ensure there are no potential LLM Jacking threats in CloudTrail. - cloudtrail [critical]
[cloudtrail_threat_detection_privilege_escalation] Ensure there are no potential privilege escalation threats in CloudTrail - cloudtrail [critical]
[cloudwatch_alarm_actions_alarm_state_configured] Check if CloudWatch alarms have specified actions configured for the ALARM state. - cloudwatch [high]
[cloudwatch_alarm_actions_enabled] Check if CloudWatch alarms have actions enabled - cloudwatch [high]
[cloudwatch_log_group_not_publicly_accessible] Ensure that CloudWatch Log Groups are not publicly accessible - cloudwatch [high]
[codeartifact_packages_external_public_publishing_disabled] Ensure CodeArtifact internal packages do not allow external public source publishing. - codeartifact [critical]
[codebuild_project_no_secrets_in_variables] Ensure CodeBuild projects do not contain secrets on plaintext environment variables - codebuild [critical]
[codebuild_project_source_repo_url_no_sensitive_credentials] Ensure CodeBuild project source repository URLs do not contain sensitive credentials - codebuild [critical]
[datasync_task_logging_enabled] DataSync tasks should have logging enabled - datasync [high]
[dms_endpoint_ssl_enabled] Ensure SSL mode is enabled in DMS endpoint - dms [high]
[dms_instance_no_public_access] Ensure DMS instances are not publicly accessible. - dms [critical]
[documentdb_cluster_public_snapshot] Check if DocumentDB manual cluster snapshot is public. - documentdb [critical]
[ec2_ami_public] Ensure there are no EC2 AMIs set as Public. - ec2 [critical]
[ec2_ebs_public_snapshot] Ensure there are no EBS Snapshots set as Public. - ec2 [critical]
[ec2_ebs_snapshot_account_block_public_access] Ensure that public access to EBS snapshots is disabled - ec2 [high]
[ec2_elastic_ip_shodan] Check if any of the Elastic or Public IP are in Shodan (requires Shodan API KEY). - ec2 [high]
[ec2_instance_port_cassandra_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to Cassandra ports (TCP 7000, 7001, 7199, 9042, 9160). - ec2 [critical]
[ec2_instance_port_cifs_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 139 or 445 (CIFS). - ec2 [critical]
[ec2_instance_port_elasticsearch_kibana_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to Elasticsearch and Kibana ports (TCP 9200, 9300, 5601). - ec2 [critical]
[ec2_instance_port_ftp_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 20 or 21 (FTP) - ec2 [critical]
[ec2_instance_port_kafka_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 9092 (Kafka). - ec2 [critical]
[ec2_instance_port_kerberos_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 88, 464, 749 or 750 (Kerberos). - ec2 [critical]
[ec2_instance_port_ldap_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 389 or 636 (LDAP). - ec2 [critical]
[ec2_instance_port_memcached_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 11211 (Memcached). - ec2 [critical]
[ec2_instance_port_mongodb_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 27017 or 27018 (MongoDB) - ec2 [critical]
[ec2_instance_port_mysql_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 3306 (MySQL). - ec2 [critical]
[ec2_instance_port_oracle_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 1521, 2483 or 2484 (Oracle). - ec2 [critical]
[ec2_instance_port_postgresql_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 5432 (PostgreSQL) - ec2 [critical]
[ec2_instance_port_rdp_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 3389 (RDP) - ec2 [critical]
[ec2_instance_port_redis_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 6379 (Redis). - ec2 [critical]
[ec2_instance_port_sqlserver_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 1433 or 1434 (SQL Server). - ec2 [critical]
[ec2_instance_port_ssh_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 22 (SSH) - ec2 [critical]
[ec2_instance_port_telnet_exposed_to_internet] Ensure no EC2 instances allow ingress from the internet to TCP port 23 (Telnet). - ec2 [critical]
[ec2_instance_secrets_user_data] Find secrets in EC2 User Data. - ec2 [critical]
[ec2_launch_template_no_public_ip] Amazon EC2 launch templates should not assign public IPs to network interfaces. - ec2 [high]
[ec2_launch_template_no_secrets] Find secrets in EC2 Launch Template - ec2 [critical]
[ec2_securitygroup_allow_ingress_from_internet_to_all_ports] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to all ports. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_any_port] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to any port. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to high risk ports. - ec2 [critical]
[ec2_securitygroup_allow_ingress_from_internet_to_port_mongodb_27017_27018] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MongoDB ports 27017 and 27018. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to FTP ports 20 or 21. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to SSH port 22. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_cassandra_7199_9160_8888] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Cassandra ports 7199 or 9160 or 8888. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_elasticsearch_kibana_9200_9300_5601] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana ports. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_kafka_9092] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Kafka port 9092. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_memcached_11211] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Memcached port 11211. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_mysql_3306] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to MySQL port 3306. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_oracle_1521_2483] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Oracle ports 1521 or 2483. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_postgres_5432] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_redis_6379] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Redis port 6379. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_sql_server_1433_1434] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Windows SQL Server ports 1433 or 1434. - ec2 [high]
[ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_telnet_23] Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23. - ec2 [high]
[ec2_securitygroup_allow_wide_open_public_ipv4] Ensure no security groups allow ingress and egress from wide-open IP address with a mask between 0 and 24. - ec2 [high]
[ec2_securitygroup_default_restrict_traffic] Ensure the default security group of every VPC restricts all traffic. - ec2 [high]
[ec2_securitygroup_with_many_ingress_egress_rules] Find security groups with more than 50 ingress or egress rules. - ec2 [high]
[ec2_transitgateway_auto_accept_vpc_attachments] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests - ec2 [high]
[ecr_repositories_not_publicly_accessible] Ensure there are no ECR repositories set as Public - ecr [critical]
[ecs_service_no_assign_public_ip] ECS services should not assign public IPs automatically - ecs [high]
[ecs_task_definitions_containers_readonly_access] ECS containers should be limited to read-only access to root filesystems - ecs [high]
[ecs_task_definitions_host_namespace_not_shared] ECS task definitions should not share the host's process namespace - ecs [high]
[ecs_task_definitions_host_networking_mode_users] Amazon ECS task definitions should have secure networking modes and user definitions - ecs [high]
[ecs_task_definitions_logging_enabled] ECS task definitions containers should have a logging configuration - ecs [high]
[ecs_task_definitions_no_environment_secrets] Check if secrets exists in ECS task definitions environment variables - ecs [critical]
[ecs_task_definitions_no_privileged_containers] ECS task definitions shouldn't have privileged containers - ecs [high]
[ecs_task_set_no_assign_public_ip] ECS task sets should not automatically assign public IP addresses - ecs [high]
[eks_cluster_network_policy_enabled] Ensure Network Policy is Enabled and Set as Appropriate - eks [high]
[eks_cluster_not_publicly_accessible] Ensure EKS Clusters are not publicly accessible - eks [high]
[eks_cluster_private_nodes_enabled] Ensure Clusters are created with Private Nodes - eks [high]
[eks_cluster_uses_a_supported_version] Ensure Kubernetes cluster runs on a supported Kubernetes version - eks [high]
[elasticache_redis_cluster_auto_minor_version_upgrades] Ensure Elasticache Redis cache clusters have automatic minor upgrades enabled. - elasticache [high]
[elasticache_redis_cluster_backup_enabled] Ensure Elasticache Redis cache cluster has automatic backups enabled. - elasticache [high]
[elasticbeanstalk_environment_cloudwatch_logging_enabled] Elastic Beanstalk environment should stream logs to CloudWatch - elasticbeanstalk [high]
[elasticbeanstalk_environment_managed_updates_enabled] Elastic Beanstalk managed platform updates should be enabled - elasticbeanstalk [high]
[emr_cluster_account_public_block_enabled] EMR Account Public Access Block enabled. - emr [high]
[eventbridge_bus_cross_account_access] Ensure that AWS EventBridge event buses do not allow unknown cross-account access for delivery of events. - eventbridge [high]
[eventbridge_bus_exposed] Ensure that your AWS EventBridge event bus is not exposed to everyone - eventbridge [high]
[eventbridge_schema_registry_cross_account_access] Ensure that AWS EventBridge schema registries do not allow unknown cross-account access for delivery of events. - eventbridge [high]
[glacier_vaults_policy_public_access] Check if S3 Glacier vaults have policies which allow access to everyone. - glacier [critical]
[glue_data_catalogs_not_publicly_accessible] Ensure Glue Data Catalogs are not publicly accessible. - glue [high]
[guardduty_ec2_malware_protection_enabled] Ensure that GuardDuty Malware Protection for EC2 is enabled. - guardduty [high]
[guardduty_eks_audit_log_enabled] GuardDuty EKS Audit Log Monitoring Enabled - guardduty [high]
[guardduty_lambda_protection_enabled] Check if GuardDuty Lambda Protection is enabled. - guardduty [high]
[guardduty_no_high_severity_findings] There are High severity GuardDuty findings - guardduty [high]
[guardduty_rds_protection_enabled] Check if GuardDuty RDS Protection is enabled. - guardduty [high]
[guardduty_s3_protection_enabled] Check if GuardDuty S3 Protection is enabled. - guardduty [high]
[iam_administrator_access_with_mfa] Ensure users of groups with AdministratorAccess policy have MFA tokens enabled - iam [high]
[iam_avoid_root_usage] Avoid the use of the root accounts - iam [high]
[iam_aws_attached_policy_no_administrative_privileges] Ensure IAM AWS-Managed policies that allow full "*:*" administrative privileges are not attached - iam [high]
[iam_customer_attached_policy_no_administrative_privileges] Ensure IAM Customer-Managed policies that allow full "*:*" administrative privileges are not attached - iam [high]
[iam_group_administrator_access_policy] Ensure No IAM Groups Have Administrator Access Policy - iam [high]
[iam_inline_policy_allows_privilege_escalation] Ensure no IAM Inline policies allow actions that may lead into Privilege Escalation - iam [high]
[iam_inline_policy_no_administrative_privileges] Ensure IAM inline policies that allow full "*:*" administrative privileges are not associated to IAM identities - iam [high]
[iam_no_custom_policy_permissive_role_assumption] Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *) - iam [high]
[iam_no_expired_server_certificates_stored] Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed. - iam [critical]
[iam_no_root_access_key] Ensure no root account access key exists - iam [critical]
[iam_policy_allows_privilege_escalation] Ensure no Customer Managed IAM policies allow actions that may lead into Privilege Escalation - iam [high]
[iam_role_administratoraccess_policy] Ensure IAM Roles do not have AdministratorAccess policy attached - iam [high]
[iam_role_cross_account_readonlyaccess_policy] Ensure IAM Roles do not have ReadOnlyAccess access for external AWS accounts - iam [high]
[iam_role_cross_service_confused_deputy_prevention] Ensure IAM Service Roles prevents against a cross-service confused deputy attack - iam [high]
[iam_root_hardware_mfa_enabled] Ensure only hardware MFA is enabled for the root account - iam [critical]
[iam_root_mfa_enabled] Ensure MFA is enabled for the root account - iam [critical]
[iam_user_administrator_access_policy] Ensure No IAM Users Have Administrator Access Policy - iam [high]
[iam_user_mfa_enabled_console_access] Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password. - iam [high]
[kafka_cluster_is_public] Kafka Cluster Exposed to the Public - kafka [high]
[kafka_cluster_unrestricted_access_disabled] Ensure Kafka Cluster has unrestricted access disabled - kafka [high]
[kms_cmk_not_deleted_unintentionally] AWS KMS keys should not be deleted unintentionally - kms [critical]
[lightsail_database_public] Check if the database has the public mode. - lightsail [high]
[lightsail_instance_public] Ensure that Lightsail instances are not publicly accessible - lightsail [high]
[macie_automated_sensitive_data_discovery_enabled] Check if Macie automated sensitive data discovery is enabled. - macie [high]
[neptune_cluster_public_snapshot] Check if NeptuneDB manual cluster snapshot is public. - neptune [critical]
[neptune_cluster_storage_encrypted] Check if Neptune Clusters storage is encrypted at rest. - neptune [high]
[opensearch_service_domains_not_publicly_accessible] Check if Amazon Opensearch/Elasticsearch domains are publicly accessible - opensearch [critical]
[opensearch_service_domains_use_cognito_authentication_for_kibana] Check if Amazon Elasticsearch/Opensearch Service domains has either Amazon Cognito or SAML authentication for Kibana enabled - opensearch [high]
[organizations_delegated_administrators] Check if AWS Organizations delegated administrators are trusted - organizations [high]
[rds_instance_certificate_expiration] Ensure that the SSL/TLS certificates configured for your Amazon RDS are not expired. - rds [high]
[rds_instance_inside_vpc] Check if RDS instances are deployed within a VPC. - rds [high]
[rds_instance_no_public_access] Ensure there are no Public Accessible RDS instances. - rds [critical]
[rds_instance_transport_encrypted] Check if RDS instances enforce SSL/TLS encryption for client connections (Microsoft SQL Server, PostgreSQL, MySQL, MariaDB, Aurora PostgreSQL, and Aurora MySQL). - rds [high]
[rds_snapshots_public_access] Check if RDS Snapshots and Cluster Snapshots are public. - rds [critical]
[redshift_cluster_automatic_upgrades] Check for Redshift Automatic Version Upgrade - redshift [high]
[redshift_cluster_public_access] Check for Publicly Accessible Redshift Clusters - redshift [high]
[route53_dangling_ip_subdomain_takeover] Check if Route53 Records contains dangling IPs. - route53 [high]
[s3_access_point_public_access_block] Block Public Access Settings enabled on Access Points. - s3 [critical]
[s3_account_level_public_access_blocks] Check S3 Account Level Public Access Block. - s3 [high]
[s3_bucket_cross_account_access] Ensure that general-purpose bucket policies restrict access to other AWS accounts. - s3 [high]
[s3_bucket_policy_public_write_access] Check if S3 buckets have policies which allow WRITE access. - s3 [critical]
[s3_bucket_public_access] Ensure there are no S3 buckets open to Everyone or Any AWS user. - s3 [critical]
[s3_bucket_public_list_acl] Ensure there are no S3 buckets listable by Everyone or Any AWS customer. - s3 [critical]
[s3_bucket_public_write_acl] Ensure there are no S3 buckets writable by Everyone or Any AWS customer. - s3 [critical]
[s3_multi_region_access_point_public_access_block] Block Public Access Settings enabled on Multi Region Access Points. - s3 [high]
[secretsmanager_not_publicly_accessible] Ensure Secrets Manager secrets are not publicly accessible. - secretsmanager [high]
[ses_identity_not_publicly_accessible] Ensure that SES identities are not publicly accessible - ses [high]
[sns_subscription_not_using_http_endpoints] Ensure there are no SNS subscriptions using HTTP endpoints - sns [high]
[sns_topics_kms_encryption_at_rest_enabled] Ensure there are no SNS Topics unencrypted - sns [high]
[sns_topics_not_publicly_accessible] Check if SNS topics have policy set as Public - sns [high]
[sqs_queues_not_publicly_accessible] Check if SQS queues have policy set as Public - sqs [critical]
[ssm_document_secrets] Find secrets in SSM Documents. - ssm [critical]
[ssm_documents_set_as_public] Check if there are SSM Documents set as public. - ssm [high]
[ssm_managed_compliant_patching] Check if EC2 instances managed by Systems Manager are compliant with patching requirements. - ssm [high]
[workspaces_volume_encryption_enabled] Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirements - workspaces [high]
There are 160 available checks.