Security detectors

Unsecured encryption of SageMaker data at rest

Unsecured Encryption at rest is detected for the data stored in SageMaker.

Disabled AWS Glue security encryption

Disabled encryption is configured in AWS Glue security.

Restrict IAM asterisk action

IAM policy documents detect the use of asterisk as an action for statements.

Disabled AWS RDS Encryption

Disabled Encryption is detected for AWS RDS DB cluster.

Exposed secrets in EC2 user data

Secrets are being revealed by EC2 user data.

Disabled block public acls

Disabled block public ACLS in S3 bucket is detected.

Disabled Glue Data Catalog encryption

Disabled Encryption is detected for the Glue Data Catalog.

S3 bucket restrict public bucket not true

S3 Bucket is not configured to RestrictPublicBucket.

nonhttps viewer protocol policy

Cloudfront distribution ViewerProtocolPolicy is not set to HTTPS.

Restrict log4j2 message lookup

Allowance of message lookup in Log4j2 by WAF is detected.

Restrict overly permissive VPC peering routes

Overly permissive access is granted by the AWS route table with VPC peering to all traffic.

Restrict overly permissive access by AWS EKS to all traffic

Overly permissive access is granted by the AWS EKS cluster security group to all traffic.

Secure AWS Database Migration Service endpoints

Overly permissive access is granted by the AWS route table with VPC peering to all traffic.

Disabled logging for aws document db

Disabled logging is detected for AWS DocumentDB.

Unencrypted code build project

Unencryption is detected for CodeBuild project.

Sns Topic Uses CMK

Custom Master Key is not used in SNS topic for encryption of messages.

Enabled RDS public access

Enabled public accessibility for RDS database is detected.

Unsecure encryption of DAX at rest

Unsecured encryption of DAX is detected at rest.

Public READ bucket ACL

The Bucket ACL allows public READ permission.

disabled detailed monitoring for EC2

Disabled detailed monitoring for EC2 instances is detected.

Disabled iam authentication

Disabled IAM authentication is detected for RDS database.

Unecrypted AWS Redshift using CMK

Unencrypted AWS Redshift cluster using CMK is detected.

Implicit SSH for AWS EKS node group

implicit SSH access from 0.0.0.0/0 for AWS EKS node group is detected.

Restrict IAM asterisk action

IAM policy documents detect the use of asterisk as an action for statements.

Disabled encryption on Aurora at rest

Disabled Encryption is detected for all data in Aurora at rest.

Restrict assumed IAM role access

The IAM role doesn't permit only specific services or principals for assumption.

Restrict AWS IAM policy with full administrative privileges

AWS IAM policy permits full administrative privileges.

Restrict actions with any Principal for S3 buckets

Allowance of an action with any Principal by S3 bucket is detected.

Disabled ALB drops HTTP headers

Disabled ALB drops HTTP headers is detected.

Restrict IAM policies with full 'asterisk-asterisk' administrative privileges

Creation of IAM policies that allow full 'asterisk-asterisk' administrative privileges is detected.

Disabled athena database encryption

Unencryption is detected for Athena Database.

Use AWS certificate manager SSL certificate with Elastic Load Balancer

SSL certificate from AWS certificate manager is not being used by the Elastic Load Balancer.

Unencrypted backup vault

Unencrypted Backup Vault is detected at rest using KMS CMK.

Avoid hardcoded AWS access keys and secrets credentials

HardCoded AWS access keys and secrets are embedded in infrastructure.

Restrict IAM password reuse

The AWS IAM password policy permits the reuse of password.

Disabled document db encryption

Unencryption is detected for DocumentDB.

Configure TLS 1.2 in AWS Load balancer

TLS 1.2 is not being used by the AWS Load balancer.

Misconfigured data encryption at rest for AWS SageMaker instance

Data encryption at rest using KMS key is not configured in AWS SageMaker notebook instance.

Disabled AWS S3 object versioning

Disabled versioning is detected for AWS S3 object.

Configure HTTPS for CloudFront distribution ViewerProtocolPolicy

HTTPS is not configured in the ViewerProtocolPolicy of CloudFront distribution.

Unsecured Encryption in transit for EFS volumes

Unsecured Encryption in transit is detected for EFS volumes in ECS task definitions.

Unencrypted EBS Volumes

Instances and Launch configurations with unencrypted EBS volumes is detected.

Exposed secrets in Lambda function environment variables

The exposure of secrets through Lambda function's environment variables is detected.

RDS postgresql file read vulnerability

Local file read vulnerability is detected in AWS RDS PostgreSQL.

Undefined lambda function urls authtype

URLs AuthType is not defined for AWS Lambda function.

Associate AWS Glue component with a security component

AWS Glue component is detected without associated security configuration.

Restrict public access on DMS replication instance

DMS replication instance with public accessibility is detected.

S3 bucket ignore public acls not true

S3 Bucket is not configured to IgnorePublicAcls.

DynamoDB Table Autoscaling Enabled

Ensure that Auto Scaling is enabled on your DynamoDB tables.

Restrict Neptune cluster instance public access

Public availability is detected for Neptune cluster instance.

Restrict the use of asterisk actions for SQS policy documents

SQS policy documents detect the use of asterisk as an action for statements.

Disabled Neptune logging

Disabled Neptune logging is detected.

nonhttps load balancer terraform

Application Load Balancer is not set to HTTPS.

Unencryted Codebuild projects

Unencrypted CodeBuild projects is detected.

Unencrypted Secrets Manager using CMK

Unencypted Secrets Manager secret is dected using Customer Managed Key.

AWS S3 public WRITE permission

AWS S3 bucket allows public WRITE permission.

Restrict public IP association on EC2 instance

EC2 instance with public IP is detected.

Disabled DynamoDB Point-In-Time Recovery

Disabled DynamoDB Point-In-Time Recovery is detected.