Lang
Security
ec2-imdsv1-optional
ec2-imdsv1-optional
AWS EC2 Instance allowing use of the IMDSv1
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
s3-public-read-bucket
s3-public-read-bucket
S3 bucket with public read access detected.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP:
- A01:2021 - Broken Access Control
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP:
- A01:2021 - Broken Access Control
s3-public-rw-bucket
s3-public-rw-bucket
S3 bucket with public read-write access detected.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP:
- A01:2021 - Broken Access Control
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP:
- A01:2021 - Broken Access Control
elastic-search-encryption-at-rest
elastic-search-encryption-at-rest
Encryption at rest is not enabled for the elastic search domain resource
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
ecr-image-scan-on-push
ecr-image-scan-on-push
The ECR Repository isn’t configured to scan images on push
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-1104: Use of Unmaintained Third Party Components
OWASP:
- A06:2021 - Vulnerable and Outdated Components
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-1104: Use of Unmaintained Third Party Components
OWASP:
- A06:2021 - Vulnerable and Outdated Components
eks-insufficient-control-plane-logging
eks-insufficient-control-plane-logging
Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs (“api”) and audit logs (“audit”) of the EKS control plane through the enabled_cluster_log_types attribute.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-778: Insufficient Logging
OWASP:
- A10:2017 - Insufficient Logging & Monitoring
- A09:2021 - Security Logging and Monitoring Failures
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-778: Insufficient Logging
OWASP:
- A10:2017 - Insufficient Logging & Monitoring
- A09:2021 - Security Logging and Monitoring Failures
rds-public-access
rds-public-access
RDS instance accessible from the Internet detected.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
rds-insecure-password-storage-in-source-code
rds-insecure-password-storage-in-source-code
RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-522: Insufficiently Protected Credentials
OWASP:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-522: Insufficiently Protected Credentials
OWASP:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
all-origins-allowed
all-origins-allowed
CORS rule on bucket permits any origin
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-942: Permissive Cross-domain Policy with Untrusted Domains
OWASP:
- A05:2021 - Security Misconfiguration
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-942: Permissive Cross-domain Policy with Untrusted Domains
OWASP:
- A05:2021 - Security Misconfiguration
s3-unencrypted-bucket
s3-unencrypted-bucket
This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-311: Missing Encryption of Sensitive Data
OWASP:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
eks-public-endpoint-enabled
eks-public-endpoint-enabled
The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP:
- A01:2021 - Broken Access Control
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP:
- A01:2021 - Broken Access Control