Security detectors
Unsecured Encryption at rest is detected for the data stored in SageMaker.
Disabled encryption is configured in AWS Glue security.
IAM policy documents detect the use of asterisk as an action for statements.
Disabled Encryption is detected for AWS RDS DB cluster.
Secrets are being revealed by EC2 user data.
Disabled block public ACLS in S3 bucket is detected.
Disabled Encryption is detected for the Glue Data Catalog.
S3 Bucket is not configured to RestrictPublicBucket.
Cloudfront distribution ViewerProtocolPolicy is not set to HTTPS.
Allowance of message lookup in Log4j2 by WAF is detected.
Overly permissive access is granted by the AWS route table with VPC peering to all traffic.
Overly permissive access is granted by the AWS EKS cluster security group to all traffic.
Overly permissive access is granted by the AWS route table with VPC peering to all traffic.
Disabled logging is detected for AWS DocumentDB.
Unencryption is detected for CodeBuild project.
Custom Master Key is not used in SNS topic for encryption of messages.
Enabled public accessibility for RDS database is detected.
Unsecured encryption of DAX is detected at rest.
The Bucket ACL allows public READ permission.
Disabled detailed monitoring for EC2 instances is detected.
Disabled IAM authentication is detected for RDS database.
Unencrypted AWS Redshift cluster using CMK is detected.
implicit SSH access from 0.0.0.0/0 for AWS EKS node group is detected.
IAM policy documents detect the use of asterisk as an action for statements.
Disabled Encryption is detected for all data in Aurora at rest.
The IAM role doesn't permit only specific services or principals for assumption.
AWS IAM policy permits full administrative privileges.
Allowance of an action with any Principal by S3 bucket is detected.
Disabled ALB drops HTTP headers is detected.
Creation of IAM policies that allow full 'asterisk-asterisk' administrative privileges is detected.
Unencryption is detected for Athena Database.
SSL certificate from AWS certificate manager is not being used by the Elastic Load Balancer.
Unencrypted Backup Vault is detected at rest using KMS CMK.
HardCoded AWS access keys and secrets are embedded in infrastructure.
The AWS IAM password policy permits the reuse of password.
Unencryption is detected for DocumentDB.
TLS 1.2 is not being used by the AWS Load balancer.
Data encryption at rest using KMS key is not configured in AWS SageMaker notebook instance.
Disabled versioning is detected for AWS S3 object.
HTTPS is not configured in the ViewerProtocolPolicy of CloudFront distribution.
Unsecured Encryption in transit is detected for EFS volumes in ECS task definitions.
Instances and Launch configurations with unencrypted EBS volumes is detected.
The exposure of secrets through Lambda function's environment variables is detected.
Local file read vulnerability is detected in AWS RDS PostgreSQL.
URLs AuthType is not defined for AWS Lambda function.
AWS Glue component is detected without associated security configuration.
DMS replication instance with public accessibility is detected.
S3 Bucket is not configured to IgnorePublicAcls.
Ensure that Auto Scaling is enabled on your DynamoDB tables.
Public availability is detected for Neptune cluster instance.
SQS policy documents detect the use of asterisk as an action for statements.
Disabled Neptune logging is detected.
Application Load Balancer is not set to HTTPS.
Unencrypted CodeBuild projects is detected.
Unencypted Secrets Manager secret is dected using Customer Managed Key.
AWS S3 bucket allows public WRITE permission.
EC2 instance with public IP is detected.
Disabled DynamoDB Point-In-Time Recovery is detected.