CloudFormation detectors

Showing all detectors for the CloudFormation language.

Browse by tags
Browse all detectors by tags.
Browse by severity
Browse all detectors by severity.
Browse by category
Browse all detectors by category.

Browse all detectors

Cloudfront Custom SSL Certificate

CloudFront Distribution Resources does not have the Viewer Certificate configuration present.


AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets.

Cloudfront Origin Failover

Amazon CloudFront Distribution is not configured with two Origin Group Members.

Sagemaker Notebook Direct Access

DirectInternetAccess property is set to Enabled and value for SubnetId property is not set.

Cloudwatch Alarm Action Check

CloudWatch alarms have at least one alarm action.

ELB Cross Zone Load Balancing

Cross-zone load balancing is not enabled for the Classic Load Balancer.

Disabled domain logging

Disabled domain logging is detected for AWS Elasticsearch.

Elasticsearch Primary Node

Elasticsearch domains are not configured with at least three dedicated primary nodes.

S3 Bucket SSL Request Only

S3 bucket has policies allowing HTTP requests.

Disabled pitr for global tables

Disabled Dynamodb point in time recovery is detected for global tables.

Redshift Backup Enabled

Amazon Redshift automated snapshot is not enabled for clusters.

Restrict log4j2 message lookup

Allowance of message lookup in Log4j2 by WAF is detected.

RDS instance logging enabled

Amazon Relational Database Service logs (Amazon RDS) are not enabled.

S3 Bucket replication enabled

S3 buckets have cross-region replication not enabled.

IAM Profile Not Attached.

IAM profile is not attached with EC2 instance.

S3 Bucket Default Encryption With AWS KMS

Amazon S3 bucket is not encrypted with AWS KMS key.

Unsecure encryption of DAX at rest

Unsecured encryption of DAX is detected at rest.

Disabled encryption on Aurora at rest

Disabled Encryption is detected for all data in Aurora at rest.

Restrict wildcard in KMS key

The KMS key policy includes wildcard (asterisk) principal.


Amazon CloudFront distribution is configured to return a specific object that is the default root object.

No unrestricted route to igw

Checks if routes to an Internet Gateway have a destination CIDR block of '' or '::/0'.

RDS Auto Version Upgrade

RDS instances with AutoMinorVersionUpgrade property is not present or set to false.

Subnet Auto Assign Public IP

Amazon Virtual Private Cloud (Amazon VPC) subnets are not assigned a public IP address.

Unecrypted AWS Redshift using CMK

Unencrypted AWS Redshift cluster using CMK is detected.

CW Loggroup Retention Period

The Amazon CloudWatch LogGroup retention period is not set.

EMR Kerberos Enabled

EMR cluster resources KerberosAttributes property does not exist.

RedShift Enhanced VPC Routing

Redshift Cluster resources have property EnhancedVpcRouting is not persent or set to false.

Unencryption not prevented

Unencryption is not prevented by Athena workgroup.

Disabled AWS S3 object versioning

Disabled versioning is detected for AWS S3 object.

Ecs Task Definition

Amazon ECS task definitions ContainerDefinitions has User not present and Privileged set to false.

Configure HTTPS for CloudFront distribution ViewerProtocolPolicy

HTTPS is not configured in the ViewerProtocolPolicy of CloudFront distribution.

Monitoring Disabled EC2 instances

Monitoring is not enabled for EC2 instances.

Disabled iam authentication

Disabled IAM authentication is detected for RDS database.

AWS S3 public WRITE permission

AWS S3 bucket allows public WRITE permission.

Over premissive aws private ecr

Overly permissive access is granted for AWS Private ECR repository policy.

Disabled AWS RDS Encryption

Disabled Encryption is detected for AWS RDS DB cluster.

Fsx Resources Protected

FSx File Systems resources do not have LustreConfiguration set with AutomatedBackupRetentionDays.

Cloudtrail S3 Dataevents enabled

AWS CloudTrail trail is not logging Amazon S3 data events for all S3 buckets.

Restrict IAM permissive role assumption

AWS IAM policy permits role permission for assumption for all services.

Timestream database not encrypted

Unencrypted Timestream database is detected with KMS CMK.

Restrict public access on DMS replication instance

DMS replication instance with public accessibility is detected.

Redshift Cluster Maintenance Settings

Amazon Redshift clusters don't have the specified maintenance settings.

DB instance backup enabled

It seems like RDS instances with BackupRetentionPeriod property is not present or is set to 0.

EKS Endpoint No Public Access

Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is publicly accessible.

More Restrictive CIDR

CidrIp Property is set to


Enabled public accessibility for RDS database is detected.

Aurora MySQL Backtracking

Amazon Aurora MySQL cluster has backtracking disabled.

ELB ACM Certificate

Classic Load Balancer configured with HTTPS/SSL listener does not use a certificate provided by ACM.

S3 default lock enabled

S3 ObjectLockEnabled parameter not set to true.

Sagemaker NoteBook Instance Kms

Sagemaker Notebook Instance resources KmsKeyId property does not exist.

Exposed secrets in EC2 user data

Secrets are being revealed by EC2 user data.

S3 ignore public acls not true

S3 Bucket is not configured to IgnorePublicAcls.

Unencrypted code build

Unencryption is detected for CodeBuild project.

Cloudfront SNI Enabled

Amazon CloudFront distributions are not configured to use SNI to serve HTTPS requests.

DynamoDB Table Encryption

All DynamoDB Tables does not have SEE enabled.

Exposed secrets in Lambda function environment variables

The exposure of secrets through Lambda function's environment variables is detected.


Custom Master Key is not used in SNS topic for encryption of messages.

Disabled Neptune logging

Disabled Neptune logging is detected.

API GW Resources Type Check

API GW does not have endpoint configuration set to REGIONAL, PRIVATE, and/or EDGE.

Restricted Common Ports

The security groups in use is allowing unrestricted incoming TCP traffic to the specified ports.

Disabled DynamoDB Point-In-Time Recovery

Disabled DynamoDB Point-In-Time Recovery is detected.

EBS Optimization Disabled EC2 instances

EBS Optimization is not enabled for EC2 instances.

Restrict assumed IAM role access

The IAM role doesn't permit only specific services or principals for assumption.

Autoscaling Launch Config

EC2 Auto Scaling launch configurations are configured to not associate public IP addresses.

Autoscaling Group ELB Health Checks

Auto Scaling groups that are associated with a load balancer are not using Elastic Load Balancing health checks.

Implicit SSH for AWS EKS node group

implicit SSH access from for AWS EKS node group is detected.

Elasticsearch in VPS

Elasticsearch domain does not have VPCOptions or Endpoint properties.

Disabled Glue Data Catalog encryption

Disabled Encryption is detected for the Glue Data Catalog.

Unsecured Encryption in transit for EFS volumes

Unsecured Encryption in transit is detected for EFS volumes in ECS task definitions.

EFS Resources Protected By Backup Plan

EFS File System is not covered by a backup plan.

Disabled enforce https

Disabled EnforceHTTPS is detected for AWS Elasticsearch domains.

Unencrypted EBS Volumes

Instances and Launch configurations with unencrypted EBS volumes is detected.

Restrict public IP association on EC2 instance

EC2 instance with public IP is detected.

RDS Instance Deletion Protection

RDS instances with DeletionProtection property is not present or set to false.

Public READ bucket ACL

The Bucket ACL allows public READ permission.


Application Load Balancer is not set to HTTPS.

Disabled AWS Glue security encryption

Disabled encryption is configured in AWS Glue security.

EC2 Instance In VPC

EC2 instance does not belong to a virtual private cloud (VPC).